Description
In the Linux kernel, the following vulnerability has been resolved:

sctp: diag: reject stale associations in dump_one path

The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.

When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.

Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stale SCTP association can be dereferenced during the exact socket diagnostic lookup after the association has already been freed. The dereference occurs in the function that formats diagnostic messages, which may interpret an empty bind‑address list as a valid socket address entry. This results in an out‑of‑bounds read of memory that does not belong to the current association, potentially exposing kernel memory contents. The flaw is a classic use‑after‑free issue that can lead to unintended data leakage.

Affected Systems

All Linux kernel builds that include the buggy SCTP diagnostic code before the applied patch are affected. The commit that introduced the fix is identified by 480f754580b…; any kernel released prior to that revision should be considered vulnerable. Administrators must verify the running kernel version against the commit to determine exposure.

Risk and Exploitability

The likely attack vector is the execution of an SCTP diagnostic request (e.g., via a netlink or ioctl interface) by a user with sufficient privileges to access the kernel’s diagnostic subsystem. Because the vulnerable path is only exercised during exact socket lookups, an attacker requires controlled SCTP traffic or specific diagnostic commands. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. While no public exploit has been reported and the vector is limited to privileged users or local system compromise, the resulting information disclosure could aid further attacks. Applying the kernel patch removes the vulnerability entirely.

Generated by OpenCVE AI on June 24, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the patch commit 480f754580b… or later
  • If an immediate kernel upgrade is not possible, disable SCTP diagnostic support or unload the SCTP diagnostic module to prevent the vulnerable code path from executing
  • If disabling SCTP is not feasible, restrict access to the diagnostic interface by enforcing strict capabilities or requiring elevated privileges

Generated by OpenCVE AI on June 24, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sctp: diag: reject stale associations in dump_one path The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list. When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory. Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.
Title sctp: diag: reject stale associations in dump_one path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T07:14:13.886Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52917

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:00:06Z

Weaknesses

No weakness.