Impact
This vulnerability exists in the Linux kernel’s SCTP implementation. When a listening server receives a COOKIE_ECHO chunk, the kernel parses a cached INIT chunk that may contain an inflated length field. The kernel does not validate that the length does not exceed the remaining payload, which allows an attacker to cause the parameter walker to read past the end of the packet. The read can corrupt internal memory, leading to crashes or other unintended behavior. The weakness corresponds to a bounds‑check failure and is reflected in CWE‑130.
Affected Systems
All Linux kernel versions that include the SCTP subsystem and have not applied the patch that adds a bounds check in sctp_unpack_cookie() are affected. The patch introduced by commit 0861615c28de668669d748ef4eb913ea9262d13b (and any later versions that incorporate that change). Distributions that ship with older kernel releases must verify whether their kernel contains this commit. As the affected code is part of the operating system kernel, any machine running an unpatched kernel is vulnerable. Specific affected-version information is unavailable.
Risk and Exploitability
The vulnerability is exercised entirely over the network. An attacker that can reach a listening SCTP server can send a crafted COOKIE_ECHO packet with an inflated INIT chunk length, triggering the out‑of‑bounds read. This inference relies on the fact that the flaw is discovered in the packet parsing code, confirming a network‑based attack vector. The CVSS score of 9.8 reflects a high severity, while an EPSS score of <1% indicates a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, so it has not been confirmed as used by threat actors at this time.
OpenCVE Enrichment