SCTP needs to better-check INIT ACK chunk parameters

Summary

CVECVE-2026-15422
StatePUBLISHED
Assignerillumos
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-16 20:16:44 UTC
Updated2026-07-16 20:16:44 UTC
DescriptionThe illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

Risk And Classification

Primary CVSS: v4.0 9.1 CRITICAL from 0ca53633-f0b5-4853-ba72-e0a2e62000d0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red

Problem Types: CWE-122 | CWE-787 | CWE-122 CWE-122 Heap-based buffer overflow | CWE-787 CWE-787 Out-of-bounds write


VersionSourceTypeScoreSeverityVector
4.00ca53633-f0b5-4853-ba72-e0a2e62000d0Secondary9.1CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/C...
4.0CNACVSS9.1CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S...

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Sub Conf.
High
Sub Integrity
High
Sub Availability
High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Illumos Illumos-gate affected a5407c02d5ed61b29481b9b71f1307d7ebec9e5c 53a3efdeff8e6745bbfb69c5360f94962fb79e75 git Not specified
CNA OmniOS OmniOS affected r151058 r151058j custom Not specified
CNA OmniOS OmniOS affected r151056 r151056aj custom Not specified
CNA OmniOS OmniOS affected r151054 r151054bj custom Not specified
CNA OmniOS OmniOS affected any r151054 custom Not specified
CNA Triton Data Center SmartOS affected any 202060709 custom Not specified

References

ReferenceSourceLinkTags
illumos.org/issues/18117 0ca53633-f0b5-4853-ba72-e0a2e62000d0 illumos.org
illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better... 0ca53633-f0b5-4853-ba72-e0a2e62000d0 illumos.topicbox.com
github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962... 0ca53633-f0b5-4853-ba72-e0a2e62000d0 github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Sourque (en)

CNA: Dan McDonald (en)

Additional Advisory Data

SourceTimeEvent
CNA2026-04-30T20:00:00.000ZVendor Notified
CNA2026-07-08T19:00:00.000ZDisclosed

Solutions

CNA: Update your illumos distro to one that includes 18117's fix.

Workarounds

CNA: In order of recommendation: 1.) Hotpatch the faulty SCTP input path.  See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact [email protected]. 2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report