Impact
The flaw arises because sctp_getsockopt_peer_auth_chunks() checks the buffer length incorrectly. When the caller requests the peer AUTH chunk list with a buffer sized exactly for the number of chunks, the test passes yet copy_to_user() writes eight bytes past the declared length, causing an out‑of‑bounds write into the caller’s address space. The eight bytes belong to the sctp_authchunks header and contain data supplied by the remote peer. Consequently, a local unprivileged user can overwrite adjacent data within the same process, potentially corrupting program state or leaking sensitive information, but the kernel memory remains untouched and no privilege escalation is achieved. The weakness is a buffer overrun (CWE‑131).
Affected Systems
Affected systems are Linux kernel installations that include the unpatched sctp_getsockopt_peer_auth_chunks() implementation. The reproducer showed the issue on kernel 7.0‑13‑generic, but any kernel before the patch that still contains the flawed check is vulnerable. The vulnerability follows a local attack surface; it does not require network access beyond creating a loopback SCTP association with AUTH enabled, and it does not rely on kernel exploits or privileged capabilities. The flaw affects user‑space processes interacting with SCTP sockets, not the entire system.
Risk and Exploitability
The CVSS score of 5.5 classifies the flaw as moderate. With an EPSS score of < 1 %, the likelihood of exploitation in the wild is low, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread zero‑day incidents are known. Nonetheless, if an environment employs SCTP with AUTH enabled and permits untrusted users to create local associations, an attacker can trigger the out‑of‑bounds write by repeatedly issuing getsockopt with a too‑small buffer, corrupting the process’s memory. Because the impact is confined to the local process, the risk is limited to confidentiality or integrity compromise of that process, but it does not provide escalation or remote code execution.
OpenCVE Enrichment
Debian DLA