Description
In the Linux kernel, the following vulnerability has been resolved:

sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing

When a listening SCTP server processes a COOKIE_ECHO chunk, the cached
peer INIT chunk embedded after the cookie is parsed and its parameters
are later walked by sctp_process_init() using sctp_walk_params().

However, the chunk header length of this cached INIT chunk was not
validated against the remaining buffer in the COOKIE_ECHO payload. If
the length field is inflated, the parameter walk can run beyond the
actual received data, leading to out-of-bounds reads and potential
memory corruption during later parameter handling (e.g. STATE_COOKIE
processing and kmemdup() copies).

Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT
chunk length does not exceed the available data in the COOKIE_ECHO
buffer before it is used.
Published: 2026-06-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in the Linux kernel’s SCTP implementation. When a listening server receives a COOKIE_ECHO chunk, the kernel parses a cached INIT chunk that may contain an inflated length field. The kernel does not validate that the length does not exceed the remaining payload, which allows an attacker to cause the parameter walker to read past the end of the packet. The read can corrupt internal memory, leading to crashes or other unintended behavior. The weakness corresponds to a bounds‑check failure and is reflected in CWE‑130.

Affected Systems

All Linux kernel versions that include the SCTP subsystem and have not applied the patch that adds a bounds check in sctp_unpack_cookie() are affected. The patch introduced by commit 0861615c28de668669d748ef4eb913ea9262d13b (and any later versions that incorporate that change). Distributions that ship with older kernel releases must verify whether their kernel contains this commit. As the affected code is part of the operating system kernel, any machine running an unpatched kernel is vulnerable. Specific affected-version information is unavailable.

Risk and Exploitability

The vulnerability is exercised entirely over the network. An attacker that can reach a listening SCTP server can send a crafted COOKIE_ECHO packet with an inflated INIT chunk length, triggering the out‑of‑bounds read. This inference relies on the fact that the flaw is discovered in the packet parsing code, confirming a network‑based attack vector. The CVSS score of 9.8 reflects a high severity, while an EPSS score of <1% indicates a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, so it has not been confirmed as used by threat actors at this time.

Generated by OpenCVE AI on June 28, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest release that contains the sctp_unpack_cookie() bounds‑check commit (0861615c28de668669d748ef4eb913ea9262d13b) or apply a backported patch from the vendor.
  • If the kernel cannot be updated immediately, block all SCTP traffic on host‑based or network firewalls to eliminate the vulnerable entry point.
  • When blanket blocking is unavailable, restrict inbound SCTP traffic to a known set of trusted IP addresses or to an isolated subnet controlled by the organization.

Generated by OpenCVE AI on June 28, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params(). However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies). Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.
Title sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:40:52.380Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53246

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53246 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:15:04Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency