Description
In the Linux kernel, the following vulnerability has been resolved:

sctp: stream: fully roll back denied add-stream state

When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
then lowers outcnt. That leaves removed stream metadata behind, so a
later re-add can reuse a stale ext and hit a null-pointer dereference in
the scheduler get path.

Fix the rollback by tearing down the removed stream state the same way
other stream resizes do. Unschedule the current scheduler state, drop
the removed stream ext state with sctp_stream_outq_migrate(), and then
reschedule the remaining streams.

This keeps scheduler-private RR/FC/PRIO lists consistent while fully
rolling back denied outgoing stream additions.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s SCTP implementation incorrectly handles denied outgoing stream additions; when ADD_OUT_STREAMS is refused, the kernel fails to fully discard stale stream metadata, allowing a subsequent re‑add to dereference a null pointer within the scheduler’s get path. This flaw results in a kernel crash and effectively renders the affected host unavailable.

Affected Systems

Any Linux kernel version that includes the SCTP stream handling code before the commit that removes removed stream metadata during a rollback is vulnerable. Systems running an unpatched kernel that exposes the SCTP protocol, whether via a loaded module or built‑in support, are at risk.

Risk and Exploitability

The vulnerability appears to be exploitable by sending SCTP packets that trigger an ADD_OUT_STREAMS denial, then re‑adding the same stream, causing a null-pointer dereference. The CVSS score of 7.5 indicates moderate to < 1% suggests a low probability of practical exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network traffic on protocol number 132, with no authentication or privilege requirements described.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that contains the SCTP rollback fix, which eliminates the null-pointer dereference (CWE‑825) by properly tearing down removed stream state during a rollback.
  • If an immediate kernel upgrade is impossible, disable the SCTP protocol by unloading the sctp kernel module or setting sysctl net.sctp.enabled=0, thereby preventing malicious SCTP traffic from reaching vulnerable code.
  • Block or rate‑limit SCTP traffic (protocol number 132) at the network perimeter until the patch is applied, reducing the attack surface and mitigating the risk associated with this denial‑of‑service flaw.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sctp: stream: fully roll back denied add-stream state When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed stream metadata behind, so a later re-add can reuse a stale ext and hit a null-pointer dereference in the scheduler get path. Fix the rollback by tearing down the removed stream state the same way other stream resizes do. Unschedule the current scheduler state, drop the removed stream ext state with sctp_stream_outq_migrate(), and then reschedule the remaining streams. This keeps scheduler-private RR/FC/PRIO lists consistent while fully rolling back denied outgoing stream additions.
Title sctp: stream: fully roll back denied add-stream state
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:36:49.598Z

Reserved: 2026-06-09T07:44:35.368Z

Link: CVE-2026-52929

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52929 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference