HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52986Published Modified CNA Linux

CVE-2026-52986: netfilter: nf_conntrack_sip: don't use simple_strtoul

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: don't use simple_strtoul Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request() with a new sip_parse_port() helper that validates each digit against the buffer limit, eliminating the use of simple_strtoul() which assumes NUL-terminated strings. The previous code dereferenced pointers without bounds checks after sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated skb data. A port that reaches the buffer limit without a trailing character is also rejected as malformed. Also get rid of all simple_strtoul() usage in conntrack, prefer a stricter version instead. There are intentional changes: - Bail out if number is > UINT_MAX and indicate a failure, same for too long sequences. While we do accept 05535 as port 5535, we will not accept e.g. 'sip:10.0.0.1:005060'. While its syntactically valid under RFC 3261, we should restrict this to not waste cycles when presented with malformed packets with 64k '0' characters. - Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch 'expire=' and 'rports='; both are expected to use base-10. - In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k range. - epaddr_len now returns 0 if the port is invalid, as it already does for invalid ip addresses. This is intentional. nf_conntrack_sip performs lots of guesswork to find the right parts of the message to parse. Being stricter could break existing setups. Connection tracking helpers are designed to allow traffic to pass, not to block it. Based on an earlier patch from Jenny Guanni Qu <qguanni@gmail.com>.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds memory read vulnerability exists in the Linux kernel's netfilter SIP connection-tracking helper (nf_conntrack_sip). The flaw is reachable over the network without any authentication, because the affected code processes raw SIP packet data arriving at the host. Successful exploitation gives an attacker the ability to read kernel memory, tamper with kernel state, and crash the affected system. Patched-image rebuilds at versions 5.10.258, 5.15.209, and 6.1.175 (plus the corresponding upstream commit) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52986 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected kernel or kernel modules. Any image whose kernel version falls within the affected range is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and weights the finding against each customer environment's compliance policy before routing the alert to the appropriate team inbox. Per-environment prioritization ensures that images in production or internet-facing workloads surface at the top of the queue.

Available
Patch

A patched-image rebuild at the fix versions (5.10.258, 5.15.209, or 6.1.175 depending on the branch in use) becomes available on HarborGuard for each affected image once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send SIP packets to the target host over the network; no local access or physical proximity is needed.

  • AuthenticationNot required

    No credentials or account are needed; the vulnerable code path is triggered by unauthenticated network packets processed by the kernel's netfilter SIP helper.

  • Victim interactionNot required

    No user action is required; exploitation is fully passive from the victim's perspective and occurs during normal kernel packet processing.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout assumptions, or environmental prerequisites beyond network access.

Blast Radius

  • An attacker can read out-of-bounds kernel memory, which may expose kernel pointers, credentials, or other sensitive data held in kernel buffers at the time of the read.
  • An attacker can corrupt kernel state through the same out-of-bounds access, potentially redirecting execution flow or manipulating conntrack entries to alter packet-filtering decisions.
  • An attacker can crash the affected host by triggering a kernel panic or null-pointer dereference, taking down all workloads running on that node.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of the CVE publication for any image whose kernel version falls in the affected range, including custom base images. For environments with auto-remediation enabled, HarborGuard rebuilds the image at the appropriate fix version (5.10.258, 5.15.209, or 6.1.175), runs a regression test suite, and opens a pull request against affected workloads; the median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes. Where compliance policy or operational constraints prevent immediate auto-remediation, HarborGuard surfaces the finding with CVSS 9.8 (Critical) weighting and routes it to the configured team inbox. As a compensating control while a patched image is being prepared, consider applying a network policy that restricts SIP traffic (UDP/TCP port 5060 and 5061) to only known trusted sources, reducing the attack surface exposed to this vulnerability.

See how HarborGuard automates this

Fix available

05.10.2585.15.209523762e3b6933fff81f01dfa3c60c0774044cdab6.1.1756.6.1416.12.916.18.337.0.107.17df9863bf538a626e8a684e59cb2c43eac0ef3c88cd0358379570003659186706e077929d6930c408cf6809cddcbe301aedfc6b51bcd4944d45795f69c6afcb1c3cbb2c0da65b8515ac14d7273872f849f69c323ae0ab517e595c2cc74e0ae0d9d085611b3264c977e79d8a25778d4fd11520f00fea1329cea2ecd29b8f4433e52607192ca91084f95787ca0
Affected packages
  • Linux / Linux
    < 8cd0358379570003659186706e077929d6930c40 (from 05e3ced297fe755093140e7487e292fb7603316e) · < 9c6afcb1c3cbb2c0da65b8515ac14d7273872f84 (from 05e3ced297fe755093140e7487e292fb7603316e) · < b3264c977e79d8a25778d4fd11520f00fea1329c (from 05e3ced297fe755093140e7487e292fb7603316e) · < ea2ecd29b8f4433e52607192ca91084f95787ca0 (from 05e3ced297fe755093140e7487e292fb7603316e) · < 9f69c323ae0ab517e595c2cc74e0ae0d9d085611 (from 05e3ced297fe755093140e7487e292fb7603316e) · < 7df9863bf538a626e8a684e59cb2c43eac0ef3c8 (from 05e3ced297fe755093140e7487e292fb7603316e)
  • Linux / Linux
    2.6.26
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References