Description
In the Linux kernel, the following vulnerability has been resolved:

sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks

sctp_getsockopt_peer_auth_chunks() checks that the caller's optval
buffer is large enough for the peer AUTH chunk list with

if (len < num_chunks)
return -EINVAL;

but then writes num_chunks bytes to p->gauth_chunks, which lives
at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8
inside optval. The check is missing the sizeof(struct
sctp_authchunks) = 8-byte header. When the caller supplies
len == num_chunks (for any num_chunks > 0) the test passes but
copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes
past the declared buffer.

The sibling function sctp_getsockopt_local_auth_chunks() at the
next line already has the correct check:

if (len < sizeof(struct sctp_authchunks) + num_chunks)
return -EINVAL;

Align the peer variant with its sibling.

Reproducer confirms on v7.0-13-generic: an unprivileged userspace
caller that opens a loopback SCTP association with AUTH enabled,
queries num_chunks with a short optval, then issues the real
getsockopt with len == num_chunks and sentinel bytes painted past
the buffer observes those sentinel bytes overwritten with the
peer's AUTH chunk type. The bytes written are under the peer's
control but land in the caller's own userspace; this is not a
kernel memory corruption, but it is a kernel-side contract
violation that can silently corrupt adjacent userspace data.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises because sctp_getsockopt_peer_auth_chunks() checks the buffer length incorrectly. When the caller requests the peer AUTH chunk list with a buffer sized exactly for the number of chunks, the test passes yet copy_to_user() writes eight bytes past the declared length, causing an out‑of‑bounds write into the caller’s address space. The eight bytes belong to the sctp_authchunks header and contain data supplied by the remote peer. Consequently, a local unprivileged user can overwrite adjacent data within the same process, potentially corrupting program state or leaking sensitive information, but the kernel memory remains untouched and no privilege escalation is achieved. The weakness is a buffer overrun (CWE‑131).

Affected Systems

Affected systems are Linux kernel installations that include the unpatched sctp_getsockopt_peer_auth_chunks() implementation. The reproducer showed the issue on kernel 7.0‑13‑generic, but any kernel before the patch that still contains the flawed check is vulnerable. The vulnerability follows a local attack surface; it does not require network access beyond creating a loopback SCTP association with AUTH enabled, and it does not rely on kernel exploits or privileged capabilities. The flaw affects user‑space processes interacting with SCTP sockets, not the entire system.

Risk and Exploitability

The CVSS score of 5.5 classifies the flaw as moderate. With an EPSS score of < 1 %, the likelihood of exploitation in the wild is low, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread zero‑day incidents are known. Nonetheless, if an environment employs SCTP with AUTH enabled and permits untrusted users to create local associations, an attacker can trigger the out‑of‑bounds write by repeatedly issuing getsockopt with a too‑small buffer, corrupting the process’s memory. Because the impact is confined to the local process, the risk is limited to confidentiality or integrity compromise of that process, but it does not provide escalation or remote code execution.

Generated by OpenCVE AI on June 26, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch for CVE‑2026‑53004 (the commit that fixes sctp_getsockopt_peer_auth_chunks() should be present).
  • Reboot the system to load the updated kernel image so the fix is active.
  • If updating is not immediately possible, mitigate exposure by disabling SCTP in the kernel configuration or restricting untrusted users from creating SCTP associations (e.g., by limiting AUTH usage or applying seccomp filters).

Generated by OpenCVE AI on June 26, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-120

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks sctp_getsockopt_peer_auth_chunks() checks that the caller's optval buffer is large enough for the peer AUTH chunk list with if (len < num_chunks) return -EINVAL; but then writes num_chunks bytes to p->gauth_chunks, which lives at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8 inside optval. The check is missing the sizeof(struct sctp_authchunks) = 8-byte header. When the caller supplies len == num_chunks (for any num_chunks > 0) the test passes but copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes past the declared buffer. The sibling function sctp_getsockopt_local_auth_chunks() at the next line already has the correct check: if (len < sizeof(struct sctp_authchunks) + num_chunks) return -EINVAL; Align the peer variant with its sibling. Reproducer confirms on v7.0-13-generic: an unprivileged userspace caller that opens a loopback SCTP association with AUTH enabled, queries num_chunks with a short optval, then issues the real getsockopt with len == num_chunks and sentinel bytes painted past the buffer observes those sentinel bytes overwritten with the peer's AUTH chunk type. The bytes written are under the peer's control but land in the caller's own userspace; this is not a kernel memory corruption, but it is a kernel-side contract violation that can silently corrupt adjacent userspace data.
Title sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:16.151Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-53004

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53004 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:00:07Z

Weaknesses
  • CWE-131

    Incorrect Calculation of Buffer Size