Impact
The vulnerability arises in the SCTP module of the Linux kernel, where the sctp_unpack_cookie() function allows a malformed COOKIE_ECHO packet to cause an out‑of‑bounds read. The function only verifies that the embedded INIT chunk length does not exceed the remaining cookie payload but does not ensure that the chunk contains a complete INIT header. When sctp_process_init() and sctp_raw_to_bind_addrs() parse the incomplete chunk, they read beyond the cookie buffer. The patch adds checks to validate the INIT chunk length, ensure that the combined lengths of the INIT chunk and raw address list fit within the payload, and verify that address parameter headers contain sufficient data before parsing.
Affected Systems
Every Linux kernel version that contains the vulnerable SCTP code prior to the patch is affected. The flaw exists in the core kernel, so any system that has SCTP enabled and receives SCTP traffic—including most mainstream distributions and custom kernel builds—must apply the fix. The specific kernel version numbers are not listed in the data, but any kernel that has not incorporated the bounds validation and length checks is at risk.
Risk and Exploitability
The CVSS score of 9.1 indicates a Critical severity out‑of‑bounds read. The EPSS score <1% and absence from the CISA KEV catalog suggest low likelihood of exploitation. An attacker able to send SCTP traffic to the target must craft a malformed COOKIE_ECHO packet that triggers the read. Successful exploitation would expose kernel memory contents, potentially leading to information disclosure. No crash or privilege escalation is stated in the description.
OpenCVE Enrichment