Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local sock_diag access (AV:L, PR:L), a narrow teardown race raises AC:H; OOB kernel read gives C:H and likely panic gives A:H, with no integrity impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
sctp: diag: reject stale associations in dump_one path
The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list.
When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory.
Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.
AnalysisAI
Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access to a host running an unpatched, SCTP-enabled Linux kernel, plus the ability to issue exact (dump-one) SCTP sock_diag lookups over NETLINK_SOCK_DIAG and to concurrently create and tear down SCTP associations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent in pointing to a moderate, local-only risk rather than an urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user with the ability to create SCTP associations and run an SCTP sock_diag query repeatedly issues exact dump-one lookups while concurrently tearing down associations, timing the diag call so it blocks on lock_sock() exactly as sctp_association_free() reaps the association. On a winning race, inet_diag_msg_sctpasoc_fill() walks the freed bind-address list and leaks adjacent kernel memory into the netlink reply or panics the kernel. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) on the matching branch, applied via your distribution's kernel update channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Linux systems with SCTP enabled (verify via 'grep SCTP /boot/config-$(uname -r)' or 'lsmod | grep sctp') and document current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38720
GHSA-fcw9-vwjp-9j4v