Impact
In the Linux kernel’s SCTP stack, the __sctp_rcv_asconf_lookup() function verifies that an ASCONF chunk contains enough space for an ADDIP header and a parameter header but does not check that the address parameter it parses is fully within the chunk. A malicious SCTP peer can send a truncated ASCONF chunk that declares an IPv6 address parameter yet provides only the four‑byte parameter header. When the function reads the 16-byte IPv6 address from this incomplete data, it accesses memory that was never supplied, exposing uninitialized data. This can lead to unintended disclosure of internal kernel memory objects.
Affected Systems
The flaw exists in the mainline Linux kernel. All kernel releases that include the code path in net/sctp/input.c and do not contain the recent commit that adds the missing bounds check are potentially vulnerable. Because SCTP support is optional and often disabled in many distributions, disabling the protocol may mitigate exposure, but the safest path is to update the kernel to a version that incorporates the patch.
Risk and Exploitability
The CVSS score of 9.1 indicates a high‑severity vulnerability, while the EPSS score of less than 1% suggests exploitation in the wild is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. A likely attack vector is a remote, unauthenticated SCTP peer that can send a crafted ASCONF chunk to a host that has SCTP listening for connections, potentially allowing the attacker to read up to 16 bytes of uninitialized data from kernel memory.
OpenCVE Enrichment
Debian DLA