CVE-2026-53246
Received Received - Intake
SCTP Out-of-Bounds Read in Linux Kernel

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params(). However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies). Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53246
EUVD
EUVD-2026-39197
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. Specifically, when a listening SCTP server processes a COOKIE_ECHO chunk, it parses a cached peer INIT chunk embedded after the cookie. The vulnerability arises because the length of this cached INIT chunk was not properly validated against the remaining buffer size in the COOKIE_ECHO payload.

If the length field of the cached INIT chunk is artificially inflated, the subsequent parameter processing can read beyond the actual received data. This can lead to out-of-bounds reads and potential memory corruption during later handling steps, such as STATE_COOKIE processing and memory duplication operations.

The fix involved adding a bounds check in the sctp_unpack_cookie() function to ensure that the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads and potential memory corruption within the Linux kernel's SCTP processing. Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service on affected systems.

Mitigation Strategies

The vulnerability is resolved by adding a bounds check in the Linux kernel SCTP implementation to validate the cached INIT chunk length during COOKIE_ECHO processing.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Until the update is applied, consider limiting or blocking SCTP traffic if it is not required in your environment to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart