Description
In the Linux kernel, the following vulnerability has been resolved:

sctp: diag: reject stale associations in dump_one path

The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.

When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.

Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the SCTP diagnostic subsystem can dereference a stale association after the association has been freed. The flaw arises because the exact sock_diag lookup retains a transport reference and locks the socket, but subsequent association free removes its bind‑address list. The diagnostic code still accesses this memory and can read out‑of‑bounds data, exposing kernel memory contents. This use‑after‑free is classified as CWE‑825. An attacker who can trigger a SCTP diagnostic request can obtain confidential data from the kernel, potentially enabling further exploitation.

Affected Systems

All Linux kernel builds that include the SCTP diagnostic feature before the commit that added the fix (480f754580b5686b928977d16a59f20cef83ff01) are vulnerable. Modern kernel releases after that commit have the defensive change. Administrators should consult the running kernel’s build against that commit to determine exposure.

Risk and Exploitability

The CVSS base score of 7.1 reflects a moderate to high impact condition, and the EPSS score of <1 % indicates a very low probability of exploitation in the current landscape. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a privileged or local user sending a netlink or ioctl SCTP diagnostic request, which would require access to the kernel’s diagnostic subsystem. While no public exploit has been reported, information disclosure could facilitate more serious attacks and should be mitigated promptly.

Generated by OpenCVE AI on June 28, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates commit 480f754580b… which removes the stale association path.
  • If an immediate upgrade is not feasible, disable the SCTP diagnostic feature or unload the SCTP diagnostic module so that the vulnerable code path is not exercised.
  • Restrict access to the SCTP diagnostics interface by enforcing strict capabilities or requiring elevated privileges to prevent unprivileged users from triggering the vulnerable lookup.

Generated by OpenCVE AI on June 28, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}


Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sctp: diag: reject stale associations in dump_one path The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list. When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory. Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.
Title sctp: diag: reject stale associations in dump_one path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:34.757Z

Reserved: 2026-06-09T07:44:35.367Z

Link: CVE-2026-52917

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52917 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:00:12Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference