CVE-2026-53225
Received Received - Intake
SCTP Uninit-Value Read in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53225
EUVD
EUVD-2026-39316
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation, specifically in the function __sctp_rcv_asconf_lookup().

The function checks that an ASCONF chunk can hold certain headers but then calls a function that reads the full IPv6 address based on the parameter's declared length without verifying the actual length.

An unauthenticated SCTP peer can send a truncated ASCONF chunk that declares an IPv6 address parameter but provides fewer bytes than expected. This causes the function to read uninitialized memory beyond the provided data.

Impact Analysis

The impact of this vulnerability is that an unauthenticated SCTP peer can cause the Linux kernel to read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter.

This could potentially lead to information disclosure if the uninitialized memory contains sensitive data, or cause instability in the kernel due to improper memory handling.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart