{"api_version":"1","generated_at":"2026-06-24T23:23:28+00:00","cve":"CVE-2026-52929","urls":{"html":"https://cve.report/CVE-2026-52929","api":"https://cve.report/api/cve/CVE-2026-52929.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-52929","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-52929"},"summary":{"title":"sctp: stream: fully roll back denied add-stream state","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: stream: fully roll back denied add-stream state\n\nWhen ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and\nthen lowers outcnt. That leaves removed stream metadata behind, so a\nlater re-add can reuse a stale ext and hit a null-pointer dereference in\nthe scheduler get path.\n\nFix the rollback by tearing down the removed stream state the same way\nother stream resizes do. Unschedule the current scheduler state, drop\nthe removed stream ext state with sctp_stream_outq_migrate(), and then\nreschedule the remaining streams.\n\nThis keeps scheduler-private RR/FC/PRIO lists consistent while fully\nrolling back denied outgoing stream additions.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 08:16:23","updated_at":"2026-06-24 08:16:23"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/9662eb0401518f0b4681f10e7fbf688f504f24cf","name":"https://git.kernel.org/stable/c/9662eb0401518f0b4681f10e7fbf688f504f24cf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a5f8a90ac9f77c678a9781c0a464b635e0d63e49","name":"https://git.kernel.org/stable/c/a5f8a90ac9f77c678a9781c0a464b635e0d63e49","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/39dc2b0eb5371a669ebc9ec6072b9184eac95418","name":"https://git.kernel.org/stable/c/39dc2b0eb5371a669ebc9ec6072b9184eac95418","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a6724b7b812ac8793514a1d5938db5d9d29ae725","name":"https://git.kernel.org/stable/c/a6724b7b812ac8793514a1d5938db5d9d29ae725","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85","name":"https://git.kernel.org/stable/c/0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1c6773b8c081509dcd5cd2954f2b02c50c00f151","name":"https://git.kernel.org/stable/c/1c6773b8c081509dcd5cd2954f2b02c50c00f151","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7dd9a42b044aad2dbe037db1c1e2943582485b44","name":"https://git.kernel.org/stable/c/7dd9a42b044aad2dbe037db1c1e2943582485b44","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d5ea0b3e261fcb2cfff142675516165244cab1da","name":"https://git.kernel.org/stable/c/d5ea0b3e261fcb2cfff142675516165244cab1da","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-52929","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52929","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a 0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a a6724b7b812ac8793514a1d5938db5d9d29ae725 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a 9662eb0401518f0b4681f10e7fbf688f504f24cf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a 7dd9a42b044aad2dbe037db1c1e2943582485b44 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a 39dc2b0eb5371a669ebc9ec6072b9184eac95418 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a d5ea0b3e261fcb2cfff142675516165244cab1da git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a 1c6773b8c081509dcd5cd2954f2b02c50c00f151 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 637784ade221a3c8a7ecd0f583eddd95d6276b9a a5f8a90ac9f77c678a9781c0a464b635e0d63e49 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/sctp/stream.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"a6724b7b812ac8793514a1d5938db5d9d29ae725","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"9662eb0401518f0b4681f10e7fbf688f504f24cf","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"7dd9a42b044aad2dbe037db1c1e2943582485b44","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"39dc2b0eb5371a669ebc9ec6072b9184eac95418","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"d5ea0b3e261fcb2cfff142675516165244cab1da","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"1c6773b8c081509dcd5cd2954f2b02c50c00f151","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"},{"lessThan":"a5f8a90ac9f77c678a9781c0a464b635e0d63e49","status":"affected","version":"637784ade221a3c8a7ecd0f583eddd95d6276b9a","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/sctp/stream.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.15"},{"lessThan":"4.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"4.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"4.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: stream: fully roll back denied add-stream state\n\nWhen ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and\nthen lowers outcnt. That leaves removed stream metadata behind, so a\nlater re-add can reuse a stale ext and hit a null-pointer dereference in\nthe scheduler get path.\n\nFix the rollback by tearing down the removed stream state the same way\nother stream resizes do. Unschedule the current scheduler state, drop\nthe removed stream ext state with sctp_stream_outq_migrate(), and then\nreschedule the remaining streams.\n\nThis keeps scheduler-private RR/FC/PRIO lists consistent while fully\nrolling back denied outgoing stream additions."}],"providerMetadata":{"dateUpdated":"2026-06-24T07:14:22.020Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85"},{"url":"https://git.kernel.org/stable/c/a6724b7b812ac8793514a1d5938db5d9d29ae725"},{"url":"https://git.kernel.org/stable/c/9662eb0401518f0b4681f10e7fbf688f504f24cf"},{"url":"https://git.kernel.org/stable/c/7dd9a42b044aad2dbe037db1c1e2943582485b44"},{"url":"https://git.kernel.org/stable/c/39dc2b0eb5371a669ebc9ec6072b9184eac95418"},{"url":"https://git.kernel.org/stable/c/d5ea0b3e261fcb2cfff142675516165244cab1da"},{"url":"https://git.kernel.org/stable/c/1c6773b8c081509dcd5cd2954f2b02c50c00f151"},{"url":"https://git.kernel.org/stable/c/a5f8a90ac9f77c678a9781c0a464b635e0d63e49"}],"title":"sctp: stream: fully roll back denied add-stream state","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-52929","datePublished":"2026-06-24T07:14:22.020Z","dateReserved":"2026-06-09T07:44:35.368Z","dateUpdated":"2026-06-24T07:14:22.020Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 08:16:23","lastModifiedDate":"2026-06-24 08:16:23","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"52929","Ordinal":"1","Title":"sctp: stream: fully roll back denied add-stream state","CVE":"CVE-2026-52929","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"52929","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: stream: fully roll back denied add-stream state\n\nWhen ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and\nthen lowers outcnt. That leaves removed stream metadata behind, so a\nlater re-add can reuse a stale ext and hit a null-pointer dereference in\nthe scheduler get path.\n\nFix the rollback by tearing down the removed stream state the same way\nother stream resizes do. Unschedule the current scheduler state, drop\nthe removed stream ext state with sctp_stream_outq_migrate(), and then\nreschedule the remaining streams.\n\nThis keeps scheduler-private RR/FC/PRIO lists consistent while fully\nrolling back denied outgoing stream additions.","Type":"Description","Title":"sctp: stream: fully roll back denied add-stream state"}]}}}