CVE Catalog

CVE-2026-53225

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

42th percentile — higher than 42% of all known CVEs

Summary

A vulnerability was found in the Linux kernel's SCTP stack in the __sctp_rcv_asconf_lookup() function. An unauthenticated peer can send a truncated ASCONF chunk that declares an IPv6 address but ends after the parameter header, causing uninitialized memory to be read.

Risk Assessment

An attacker can exploit this to read up to 16 bytes of uninitialized kernel memory, potentially leading to information disclosure or system instability.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds bounds checking for the address parameter before reading it.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

Vulnerability data from NVD (NIST) · CISA KEV · EPSS