Incorrect Calculation of Buffer Size Affecting kernel-zfcpdump-devel-matched package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL10-KERNELZFCPDUMPDEVELMATCHED-16470866
- published7 May 2026
- disclosed6 May 2026
Introduced: 6 May 2026
NewCVE-2026-43233 (opens in a new tab)How to fix?
There is no fixed version for RHEL:10 kernel-zfcpdump-devel-matched.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-zfcpdump-devel-matched package and not the kernel-zfcpdump-devel-matched package as distributed by RHEL.
See How to fix? for RHEL:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
In decode_choice(), the boundary check before get_len() uses the
variable len, which is still 0 from its initialization at the top of
the function:
unsigned int type, ext, len = 0;
...
if (ext || (son->attr & OPEN)) {
BYTE_ALIGN(bs);
if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */
return H323_ERROR_BOUND;
len = get_len(bs); /* OOB read */
When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well.
This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer.
Fix this by checking for 2 bytes (the maximum that get_len() may read)
instead of the uninitialized len. This matches the pattern used at
every other get_len() call site in the same file, where the caller
checks for 2 bytes of available data before calling get_len().
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2467135
- https://access.redhat.com/security/cve/CVE-2026-43233
- https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a
- https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224
- https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1
- https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16
- https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead
- https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60
- https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041
- https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129