SCTP needs to better-check INIT ACK chunk parameters
Summary
| CVE | CVE-2026-15422 |
|---|---|
| State | PUBLISHED |
| Assigner | illumos |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-16 20:16:44 UTC |
| Updated | 2026-07-16 20:16:44 UTC |
| Description | The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde. |
Risk And Classification
Primary CVSS: v4.0 9.1 CRITICAL from 0ca53633-f0b5-4853-ba72-e0a2e62000d0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red
Problem Types: CWE-122 | CWE-787 | CWE-122 CWE-122 Heap-based buffer overflow | CWE-787 CWE-787 Out-of-bounds write
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 0ca53633-f0b5-4853-ba72-e0a2e62000d0 | Secondary | 9.1 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/C... |
| 4.0 | CNA | CVSS | 9.1 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S... |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Illumos | Illumos-gate | affected a5407c02d5ed61b29481b9b71f1307d7ebec9e5c 53a3efdeff8e6745bbfb69c5360f94962fb79e75 git | Not specified |
| CNA | OmniOS | OmniOS | affected r151058 r151058j custom | Not specified |
| CNA | OmniOS | OmniOS | affected r151056 r151056aj custom | Not specified |
| CNA | OmniOS | OmniOS | affected r151054 r151054bj custom | Not specified |
| CNA | OmniOS | OmniOS | affected any r151054 custom | Not specified |
| CNA | Triton Data Center | SmartOS | affected any 202060709 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| illumos.org/issues/18117 | 0ca53633-f0b5-4853-ba72-e0a2e62000d0 | illumos.org | |
| illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better... | 0ca53633-f0b5-4853-ba72-e0a2e62000d0 | illumos.topicbox.com | |
| github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962... | 0ca53633-f0b5-4853-ba72-e0a2e62000d0 | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Sourque (en)
CNA: Dan McDonald (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-30T20:00:00.000Z | Vendor Notified |
| CNA | 2026-07-08T19:00:00.000Z | Disclosed |
Solutions
CNA: Update your illumos distro to one that includes 18117's fix.
Workarounds
CNA: In order of recommendation: 1.) Hotpatch the faulty SCTP input path. See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact [email protected]. 2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.