sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-53225
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-25 09:16:40 UTC
Updated2026-06-25 09:16:40 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Risk And Classification

EPSS: 0.001840000 probability, percentile 0.082070000 (date 2026-06-26)

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 446e0ecd845abc394b24ae2030a883572bec9d16 git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 928dd94db23e8ba340f83d68f7f24d831b7a4426 git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef d796cfd06074b579d265b28401306cadd30db945 git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 8ce96f1182644079249a24ac7e2ffc32e0301a46 git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef d6bd0bb7697ea8c0387b0d9d973453f479017b23 git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef f76a8b323e28e0951f979dbef20a7496383c47df git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 8e86817b8af4d552f3c6fe04ca52bb0c8c57411d git Not specified
CNA Linux Linux affected df21857714398acb8b24a8bb5a6d2286dd9c59ef f8373d7090b745728de66308deeecc67e8d319ce git Not specified
CNA Linux Linux affected 2.6.25 Not specified
CNA Linux Linux unaffected 2.6.25 semver Not specified
CNA Linux Linux unaffected 5.10.259 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.210 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.176 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.143 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report