CVE-2026-53225 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.

An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.

Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.

The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Linux kernel's SCTP implementation. The __sctp_rcv_asconf_lookup() function checks only that an ASCONF chunk is large enough for the ADDIP header and a parameter header before calling af->from_addr_param(), which trusts the parameter’s declared length and reads a full 16‑byte IPv6 address. An unauthenticated SCTP peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4‑byte parameter header. When this path is taken, from_addr_param() reads up to 16 bytes from beyond the end of the supplied data, accessing uninitialised memory. This can lead to leakage of sensitive information stored in that region kernel panic, affecting confidentiality or availability. The weakness corresponds to CWE‑788. The bug is not tied to authentication or privilege, so any host receiving SCTP traffic from an external network could be affected.

Affected Systems

The flaw resides in the Linux kernel’s SCTP stack. All kernel releases performing the affected code path are potentially vulnerable; no specific versions are listed in the advisory. System administrators should ensure that their kernel is at a revision containing the commit that applies this fix. SCTP support is optional on many systems, so disabling the protocol may also limit exposure.

Risk and Exploitability

The EPSS score is not available, and there is no KEV listing. The patch is included in the kernel source repository; applying the update removes the boundary check omission and secures the receive path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< 446e0ecd845abc394b24ae2030a883572bec9d16
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< 928dd94db23e8ba340f83d68f7f24d831b7a4426
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< d796cfd06074b579d265b28401306cadd30db945
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< 8ce96f1182644079249a24ac7e2ffc32e0301a46
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< d6bd0bb7697ea8c0387b0d9d973453f479017b23
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< f76a8b323e28e0951f979dbef20a7496383c47df
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< 8e86817b8af4d552f3c6fe04ca52bb0c8c57411d
`df21857714398acb8b24a8bb5a6d2286dd9c59ef`	affected	< f8373d7090b745728de66308deeecc67e8d319ce

Linux

affected

Version	Status	Constraints
`2.6.25`	affected	—
`0`	unaffected	< 2.6.25
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel version that incorporates the commit fixing the ASCONF lookup bug
If the kernel cannot be updated, disable SCTP network traffic by removing or blacklisting the 'sctp' kernel module
Monitor system logs for anomalous SCTP traffic and investigate any crashes related to SCTP packet handling

Generated by OpenCVE AI on June 25, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16
https://git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46
https://git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d
https://git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426
https://git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23
https://git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945
https://git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df
https://git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce

History

Thu, 25 Jun 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-788

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
Title		sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16 https://git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46 https://git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d https://git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426 https://git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23 https://git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945 https://git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df https://git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:25.911Z

Updated: 2026-06-25T08:39:25.911Z

Reserved: 2026-06-09T07:44:35.392Z

Link: CVE-2026-53225

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:30:06Z

Weaknesses

CWE-788
Access of Memory Location After End of Buffer

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object