CVE-2026-53246 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing

When a listening SCTP server processes a COOKIE_ECHO chunk, the cached
peer INIT chunk embedded after the cookie is parsed and its parameters
are later walked by sctp_process_init() using sctp_walk_params().

However, the chunk header length of this cached INIT chunk was not
validated against the remaining buffer in the COOKIE_ECHO payload. If
the length field is inflated, the parameter walk can run beyond the
actual received data, leading to out-of-bounds reads and potential
memory corruption during later parameter handling (e.g. STATE_COOKIE
processing and kmemdup() copies).

Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT
chunk length does not exceed the available data in the COOKIE_ECHO
buffer before it is used.

Published: 2026-06-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel’s SCTP implementation allows an attacker to supply a COOKIE_ECHO chunk containing an inflated INIT chunk length that is not validated against the actual payload size. The unchecked length causes the parameter walker to read beyond the received data, potentially corrupting memory during subsequent handling such as STATE_COOKIE processing. This out‑of‑bounds read can lead to information disclosure, crashes, or, if exploited further, arbitrary code execution.

Affected Systems

The vulnerability exists in the Linux kernel. No specific affected versions are listed, so all kernel releases prior to the inclusion of the fix are potentially impacted. Users running standard Linux distributions should check whether their kernel contains the commit that adds a bounds check in sctp_unpack_cookie().

Risk and Exploitability

The vulnerability is remote; an attacker only needs to send a crafted SCTP packet to a listening SCTP server. While no CVSS score is supplied, the potential for memory corruption and the remote nature of the trigger imply a high risk of exploitation. The EPSS score is not available and the issue is not listed in CISA's KEV catalog at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cc272185c9a9a4b7febc2de52eeaa3d00f19091e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< edccbf3d63b0a3362bc916ea72edacc1e1ca456a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0861615c28de668669d748ef4eb913ea9262d13b

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the sctp cookie parsing bounds check (commit 0861615c28de668669d748ef4eb913ea9262d13b or later).
If the kernel cannot be updated immediately, disable the SCTP listening service or block SCTP traffic on firewalls to prevent an attacker from leveraging the flaw.
If disabling SCTP is not feasible, restrict SCTP traffic to trusted hosts only by configuring firewall rules to allow SCTP only from known IP addresses.

Generated by OpenCVE AI on June 25, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0861615c28de668669d748ef4eb913ea9262d13b
https://git.kernel.org/stable/c/cc272185c9a9a4b7febc2de52eeaa3d00f19091e
https://git.kernel.org/stable/c/edccbf3d63b0a3362bc916ea72edacc1e1ca456a

History

Thu, 25 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params(). However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies). Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.
Title		sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0861615c28de668669d748ef4eb913ea9262d13b https://git.kernel.org/stable/c/cc272185c9a9a4b7febc2de52eeaa3d00f19091e https://git.kernel.org/stable/c/edccbf3d63b0a3362bc916ea72edacc1e1ca456a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:39.896Z

Updated: 2026-06-25T08:39:39.896Z

Reserved: 2026-06-09T07:44:35.394Z

Link: CVE-2026-53246

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T12:15:03Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object