The Linux kernel’s SCTP module lacks proper boundary checks when unpacking COOKIE_ECHO packets. The sctp_unpack_cookie() routine verifies that the embedded INIT chunk length does not exceed the remaining cookie payload, but it does not ensure that a complete INIT header is present. An attacker can send a malformed COOKIE_ECHO packet containing either a truncated INIT chunk whose reported length is smaller than sizeof(struct sctp_init_chunk) or an oversized raw address list. When sctp_process_init() and sctp_raw_to_bind_addrs() later access the INIT parameters or address list unconditionally, the code reads beyond the bounds of the cookie buffer, resulting in an out‑of‑bounds read. This can leak kernel memory contents and may lead to a crash or further privilege escalation.

Every Linux kernel version that contains the vulnerable SCTP code prior to the patch is affected. The flaw exists in the core kernel, so any system that has SCTP enabled and receives SCTP traffic—including most mainstream distributions and custom kernel builds—must apply the fix. The specific kernel version numbers are not listed in the data, but any kernel that has not incorporated the bounds validation and length checks is at risk.

The vulnerability is a low‑impact kernel out‑of‑bounds read guarded by a crafted SCTP packet; the EPSS score is less than 1% and it is not listed in CISA KEV, implying a lower probability of exploitation. However, an attacker who can reach the target via SCTP must craft a COOKIE_ECHO packet to trigger the read. Successful exploitation could expose arbitrary kernel memory, which could be leveraged for privilege escalation or to subvert security controls. Because the flaw lies in the kernel, the risk is significant for hosts that accept untrusted SCTP traffic and cannot mitigate it by disabling or blocking the protocol.