{"api_version":"1","generated_at":"2026-07-17T12:47:16+00:00","cve":"CVE-2026-15422","urls":{"html":"https://cve.report/CVE-2026-15422","api":"https://cve.report/api/cve/CVE-2026-15422.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-15422","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-15422"},"summary":{"title":"SCTP needs to better-check INIT ACK chunk parameters","description":"The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.","state":"PUBLISHED","assigner":"illumos","published_at":"2026-07-16 20:16:44","updated_at":"2026-07-16 20:16:44"},"problem_types":["CWE-122","CWE-787","CWE-122 CWE-122 Heap-based buffer overflow","CWE-787 CWE-787 Out-of-bounds write"],"metrics":[{"version":"4.0","source":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"USER","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"HIGH","providerUrgency":"RED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red","data":{"Automatable":"YES","Recovery":"USER","Safety":"PRESENT","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.1,"baseSeverity":"CRITICAL","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"HIGH"}}],"references":[{"url":"https://illumos.org/issues/18117","name":"https://illumos.org/issues/18117","refsource":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters","name":"https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters","refsource":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75","name":"https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75","refsource":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-15422","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-15422","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"illumos","product":"illumos-gate","version":"affected a5407c02d5ed61b29481b9b71f1307d7ebec9e5c 53a3efdeff8e6745bbfb69c5360f94962fb79e75 git","platforms":[]},{"source":"CNA","vendor":"OmniOS","product":"OmniOS","version":"affected r151058 r151058j custom","platforms":[]},{"source":"CNA","vendor":"OmniOS","product":"OmniOS","version":"affected r151056 r151056aj custom","platforms":[]},{"source":"CNA","vendor":"OmniOS","product":"OmniOS","version":"affected r151054 r151054bj custom","platforms":[]},{"source":"CNA","vendor":"OmniOS","product":"OmniOS","version":"affected any r151054 custom","platforms":[]},{"source":"CNA","vendor":"Triton Data Center","product":"SmartOS","version":"affected any 202060709 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-30T20:00:00.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2026-07-08T19:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[{"source":"CNA","title":"","value":"Update your illumos distro to one that includes 18117's fix.","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"In order of recommendation:\n\n\n\n\n1.) Hotpatch the faulty SCTP input path.  See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact developers@lists.illumos.org.\n\n\n2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Sourque","lang":"en"},{"source":"CNA","value":"Dan McDonald","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"affected","modules":["kernel","SCTP"],"product":"illumos-gate","programFiles":["usr/src/uts/common/inet/sctp/sctp_hash.c"],"repo":"https://github.com/illumos/illumos-gate","vendor":"illumos","versions":[{"changes":[{"at":"53a3efdeff8e6745bbfb69c5360f94962fb79e75","status":"unaffected"}],"lessThan":"53a3efdeff8e6745bbfb69c5360f94962fb79e75","status":"affected","version":"a5407c02d5ed61b29481b9b71f1307d7ebec9e5c","versionType":"git"}]},{"defaultStatus":"affected","product":"OmniOS","vendor":"OmniOS","versions":[{"changes":[{"at":"r151058j","status":"unaffected"}],"lessThan":"r151058j","status":"affected","version":"r151058","versionType":"custom"},{"changes":[{"at":"r151056aj","status":"unaffected"}],"lessThan":"r151056aj","status":"affected","version":"r151056","versionType":"custom"},{"changes":[{"at":"r151054bj","status":"unaffected"}],"lessThan":"r151054bj","status":"affected","version":"r151054","versionType":"custom"},{"lessThan":"r151054","status":"affected","version":"any","versionType":"custom"}]},{"defaultStatus":"affected","product":"SmartOS","vendor":"Triton Data Center","versions":[{"changes":[{"at":"20260709","status":"unaffected"}],"lessThan":"202060709","status":"affected","version":"any","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Sourque"},{"lang":"en","type":"remediation developer","value":"Dan McDonald"}],"datePublic":"2026-07-08T18:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<pre>The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.</pre>"}],"value":"The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde."}],"impacts":[{"capecId":"CAPEC-100","descriptions":[{"lang":"en","value":"CAPEC-100 Overflow Buffers"}]},{"capecId":"CAPEC-30","descriptions":[{"lang":"en","value":"CAPEC-30 Hijacking a Privileged Thread of Execution"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"PRESENT","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":9.1,"baseSeverity":"CRITICAL","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"NONE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"HIGH"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-122","description":"CWE-122 Heap-based buffer overflow","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-787","description":"CWE-787 Out-of-bounds write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-16T19:29:13.931Z","orgId":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","shortName":"illumos"},"references":[{"tags":["mailing-list"],"url":"https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters"},{"tags":["issue-tracking"],"url":"https://illumos.org/issues/18117"},{"tags":["patch"],"url":"https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update your illumos distro to one that includes 18117's fix."}],"value":"Update your illumos distro to one that includes 18117's fix."}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2026-04-30T20:00:00.000Z","value":"Vendor Notified"},{"lang":"en","time":"2026-07-08T19:00:00.000Z","value":"Disclosed"}],"title":"SCTP needs to better-check INIT ACK chunk parameters","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>In order of recommendation:</div><div><br></div>1.) Hotpatch the faulty SCTP input path. &nbsp;See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact developers@lists.illumos.org.<div><br></div><div>2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.</div>"}],"value":"In order of recommendation:\n\n\n\n\n1.) Hotpatch the faulty SCTP input path.  See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact developers@lists.illumos.org.\n\n\n2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack."}],"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","assignerShortName":"illumos","cveId":"CVE-2026-15422","datePublished":"2026-07-16T19:29:13.931Z","dateReserved":"2026-07-10T15:20:03.858Z","dateUpdated":"2026-07-16T19:29:13.931Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-16 20:16:44","lastModifiedDate":"2026-07-16 20:16:44","problem_types":["CWE-122","CWE-787","CWE-122 CWE-122 Heap-based buffer overflow","CWE-787 CWE-787 Out-of-bounds write"],"metrics":{"cvssMetricV40":[{"source":"0ca53633-f0b5-4853-ba72-e0a2e62000d0","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"PRESENT","Automatable":"YES","Recovery":"USER","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"HIGH","providerUrgency":"RED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"15422","Ordinal":"1","Title":"SCTP needs to better-check INIT ACK chunk parameters","CVE":"CVE-2026-15422","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"15422","Ordinal":"1","NoteData":"The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.","Type":"Description","Title":"SCTP needs to better-check INIT ACK chunk parameters"}]}}}