Impact
In the Linux kernel, the SCTP diagnostic subsystem can dereference a stale association after the association has been freed. The flaw arises because the exact sock_diag lookup retains a transport reference and locks the socket, but subsequent association free removes its bind‑address list. The diagnostic code still accesses this memory and can read out‑of‑bounds data, exposing kernel memory contents. This use‑after‑free is classified as CWE‑825. An attacker who can trigger a SCTP diagnostic request can obtain confidential data from the kernel, potentially enabling further exploitation.
Affected Systems
All Linux kernel builds that include the SCTP diagnostic feature before the commit that added the fix (480f754580b5686b928977d16a59f20cef83ff01) are vulnerable. Modern kernel releases after that commit have the defensive change. Administrators should consult the running kernel’s build against that commit to determine exposure.
Risk and Exploitability
The CVSS base score of 7.1 reflects a moderate to high impact condition, and the EPSS score of <1 % indicates a very low probability of exploitation in the current landscape. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a privileged or local user sending a netlink or ioctl SCTP diagnostic request, which would require access to the kernel’s diagnostic subsystem. While no public exploit has been reported, information disclosure could facilitate more serious attacks and should be mitigated promptly.
OpenCVE Enrichment
Debian DLA