{"api_version":"1","generated_at":"2026-06-27T00:32:25+00:00","cve":"CVE-2026-53225","urls":{"html":"https://cve.report/CVE-2026-53225","api":"https://cve.report/api/cve/CVE-2026-53225.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53225","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53225"},"summary":{"title":"sctp: fix uninit-value in __sctp_rcv_asconf_lookup()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix uninit-value in __sctp_rcv_asconf_lookup()\n\n__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF\nchunk can hold the ADDIP header and a parameter header, then calls\naf->from_addr_param(), which reads the full address (16 bytes for IPv6)\ntrusting the parameter's declared length.\n\nAn unauthenticated peer can send a truncated trailing ASCONF chunk that\ndeclares an IPv6 address parameter but stops after the 4-byte parameter\nheader; reached from the no-association lookup path, from_addr_param() then\nreads uninitialized bytes past the parameter.\n\nImpact: an unauthenticated SCTP peer makes the receive path read up to 16\nbytes of uninitialized memory past a truncated ASCONF address parameter.\n\nThe sibling __sctp_rcv_init_lookup() bounds parameters with\nsctp_walk_params(); this path open-codes the fetch and omits the bound.\nVerify the whole address parameter lies within the chunk before\nfrom_addr_param() reads it, the same class of fix as commit 51e5ad549c43\n(\"net: sctp: fix KMSAN uninit-value in sctp_inq_pop\").","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-25 09:16:40","updated_at":"2026-06-25 09:16:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df","name":"https://git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945","name":"https://git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426","name":"https://git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16","name":"https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46","name":"https://git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23","name":"https://git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d","name":"https://git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce","name":"https://git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53225","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53225","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 446e0ecd845abc394b24ae2030a883572bec9d16 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 928dd94db23e8ba340f83d68f7f24d831b7a4426 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef d796cfd06074b579d265b28401306cadd30db945 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 8ce96f1182644079249a24ac7e2ffc32e0301a46 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef d6bd0bb7697ea8c0387b0d9d973453f479017b23 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef f76a8b323e28e0951f979dbef20a7496383c47df git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef 8e86817b8af4d552f3c6fe04ca52bb0c8c57411d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected df21857714398acb8b24a8bb5a6d2286dd9c59ef f8373d7090b745728de66308deeecc67e8d319ce git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.25","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.25 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.259 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.210 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.176 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.143 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.94 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.36 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.13 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"53225","cve":"CVE-2026-53225","epss":"0.001840000","percentile":"0.082070000","score_date":"2026-06-26","updated_at":"2026-06-27 00:07:46"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/sctp/input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"446e0ecd845abc394b24ae2030a883572bec9d16","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"928dd94db23e8ba340f83d68f7f24d831b7a4426","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"d796cfd06074b579d265b28401306cadd30db945","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"8ce96f1182644079249a24ac7e2ffc32e0301a46","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"d6bd0bb7697ea8c0387b0d9d973453f479017b23","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"f76a8b323e28e0951f979dbef20a7496383c47df","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"8e86817b8af4d552f3c6fe04ca52bb0c8c57411d","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"},{"lessThan":"f8373d7090b745728de66308deeecc67e8d319ce","status":"affected","version":"df21857714398acb8b24a8bb5a6d2286dd9c59ef","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/sctp/input.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.25"},{"lessThan":"2.6.25","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.259","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.210","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.176","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.143","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.94","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.36","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.259","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.210","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.176","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.143","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.94","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.36","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.13","versionStartIncluding":"2.6.25","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"2.6.25","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix uninit-value in __sctp_rcv_asconf_lookup()\n\n__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF\nchunk can hold the ADDIP header and a parameter header, then calls\naf->from_addr_param(), which reads the full address (16 bytes for IPv6)\ntrusting the parameter's declared length.\n\nAn unauthenticated peer can send a truncated trailing ASCONF chunk that\ndeclares an IPv6 address parameter but stops after the 4-byte parameter\nheader; reached from the no-association lookup path, from_addr_param() then\nreads uninitialized bytes past the parameter.\n\nImpact: an unauthenticated SCTP peer makes the receive path read up to 16\nbytes of uninitialized memory past a truncated ASCONF address parameter.\n\nThe sibling __sctp_rcv_init_lookup() bounds parameters with\nsctp_walk_params(); this path open-codes the fetch and omits the bound.\nVerify the whole address parameter lies within the chunk before\nfrom_addr_param() reads it, the same class of fix as commit 51e5ad549c43\n(\"net: sctp: fix KMSAN uninit-value in sctp_inq_pop\")."}],"providerMetadata":{"dateUpdated":"2026-06-25T08:39:25.911Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16"},{"url":"https://git.kernel.org/stable/c/928dd94db23e8ba340f83d68f7f24d831b7a4426"},{"url":"https://git.kernel.org/stable/c/d796cfd06074b579d265b28401306cadd30db945"},{"url":"https://git.kernel.org/stable/c/8ce96f1182644079249a24ac7e2ffc32e0301a46"},{"url":"https://git.kernel.org/stable/c/d6bd0bb7697ea8c0387b0d9d973453f479017b23"},{"url":"https://git.kernel.org/stable/c/f76a8b323e28e0951f979dbef20a7496383c47df"},{"url":"https://git.kernel.org/stable/c/8e86817b8af4d552f3c6fe04ca52bb0c8c57411d"},{"url":"https://git.kernel.org/stable/c/f8373d7090b745728de66308deeecc67e8d319ce"}],"title":"sctp: fix uninit-value in __sctp_rcv_asconf_lookup()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53225","datePublished":"2026-06-25T08:39:25.911Z","dateReserved":"2026-06-09T07:44:35.392Z","dateUpdated":"2026-06-25T08:39:25.911Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-25 09:16:40","lastModifiedDate":"2026-06-25 09:16:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53225","Ordinal":"1","Title":"sctp: fix uninit-value in __sctp_rcv_asconf_lookup()","CVE":"CVE-2026-53225","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53225","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix uninit-value in __sctp_rcv_asconf_lookup()\n\n__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF\nchunk can hold the ADDIP header and a parameter header, then calls\naf->from_addr_param(), which reads the full address (16 bytes for IPv6)\ntrusting the parameter's declared length.\n\nAn unauthenticated peer can send a truncated trailing ASCONF chunk that\ndeclares an IPv6 address parameter but stops after the 4-byte parameter\nheader; reached from the no-association lookup path, from_addr_param() then\nreads uninitialized bytes past the parameter.\n\nImpact: an unauthenticated SCTP peer makes the receive path read up to 16\nbytes of uninitialized memory past a truncated ASCONF address parameter.\n\nThe sibling __sctp_rcv_init_lookup() bounds parameters with\nsctp_walk_params(); this path open-codes the fetch and omits the bound.\nVerify the whole address parameter lies within the chunk before\nfrom_addr_param() reads it, the same class of fix as commit 51e5ad549c43\n(\"net: sctp: fix KMSAN uninit-value in sctp_inq_pop\").","Type":"Description","Title":"sctp: fix uninit-value in __sctp_rcv_asconf_lookup()"}]}}}