sctp: purge outqueue on stale COOKIE-ECHO handling

Summary

CVECVE-2026-52924
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-24 08:16:22 UTC
Updated2026-07-15 01:16:23 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: sctp: purge outqueue on stale COOKIE-ECHO handling sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out_curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed. However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk. During the rollback, sctp_stream_update() frees the old stream table and installs a new one, but it does not invalidate stream->out_curr. As a result, out_curr may still point to a freed sctp_stream_out entry from the previous stream state. Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out_curr->ext, which can lead to use-after-free once the old stream state has been released via sctp_stream_free(). This results in crashes such as (reported by Yuqi): BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp_sched_fcfs_dequeue+0x13a/0x140 sctp_outq_flush+0x1603/0x33e0 sctp_do_sm+0x31c9/0x5d30 sctp_assoc_bh_rcv+0x392/0x6f0 sctp_inq_push+0x1db/0x270 sctp_rcv+0x138d/0x3c10 Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart. Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.

Risk And Classification

Primary CVSS: v3.1 7 HIGH from ADP

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS: 0.002690000 probability, percentile 0.185080000 (date 2026-07-09)

Problem Types: CWE-416 | CWE-825 | CWE-825 Expired Pointer Dereference


VersionSourceTypeScoreSeverityVector
3.1ADPCVSS7HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary9.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.10b0ca135-0b70-47e7-9f44-1890c2a1c46cSecondary7HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
3.1CNADECLARED9.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 84b7a319105db2f917ccdcf502bdc866082b1285 git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8 git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 3c0741a441a7df7099d7ca6a64a6a0de09c677c8 git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 2afc9e684dc7fecf73db1edc937ebbc47b4b68dc git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 1d4652f677906a64487c13f9ace54b0eb263b5d0 git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 a6207349e703cfc04756a4d16dec9176135813a5 git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 83ade59e5da365f4bf8bce72c5a38774202b442f git Not specified
CNA Linux Linux affected 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 e374b22e9b07b72a25909621464ff74096151bfb git Not specified
CNA Linux Linux affected 4.15 Not specified
CNA Linux Linux unaffected 4.15 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified
ADP Red Hat Red Hat Enterprise Linux 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 7 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 7 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 9 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 9 Not specified Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/83ade59e5da365f4bf8bce72c5a38774202b442f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/a6207349e703cfc04756a4d16dec9176135813a5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52924.json 0b0ca135-0b70-47e7-9f44-1890c2a1c46c security.access.redhat.com Third Party Advisory
bugzilla.redhat.com/show_bug.cgi 0b0ca135-0b70-47e7-9f44-1890c2a1c46c bugzilla.redhat.com Issue Tracking, Third Party Advisory
access.redhat.com/security/cve/CVE-2026-52924 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
git.kernel.org/stable/c/84b7a319105db2f917ccdcf502bdc866082b1285 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/e374b22e9b07b72a25909621464ff74096151bfb 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/1d4652f677906a64487c13f9ace54b0eb263b5d0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/2afc9e684dc7fecf73db1edc937ebbc47b4b68dc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/3c0741a441a7df7099d7ca6a64a6a0de09c677c8 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Additional Advisory Data

SourceTimeEvent
ADP2026-06-24T00:00:00.000ZReported to Red Hat.
ADP2026-06-24T00:00:00.000ZMade public.

Workarounds

ADP: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report