Impact
The Linux kernel’s SCTP implementation incorrectly handles denied outgoing stream additions; when ADD_OUT_STREAMS is refused, the kernel fails to fully discard stale stream metadata, allowing a subsequent re‑add to dereference a null pointer within the scheduler’s get path. This flaw results in a kernel crash and effectively renders the affected host unavailable.
Affected Systems
Any Linux kernel version that includes the SCTP stream handling code before the commit that removes removed stream metadata during a rollback is vulnerable. Systems running an unpatched kernel that exposes the SCTP protocol, whether via a loaded module or built‑in support, are at risk.
Risk and Exploitability
The vulnerability appears to be exploitable by sending SCTP packets that trigger an ADD_OUT_STREAMS denial, then re‑adding the same stream, causing a null-pointer dereference. The CVSS score of 7.5 indicates moderate to < 1% suggests a low probability of practical exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network traffic on protocol number 132, with no authentication or privilege requirements described.
OpenCVE Enrichment
Debian DLA