Skip to main content

Linux Kernel CVE-2026-52924

| EUVDEUVD-2026-38727 CRITICAL
Expired Pointer Dereference (CWE-825)
2026-06-24 Linux GHSA-v4hw-q98x-8jmm
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.9 MEDIUM

Remotely triggerable (AV:N, PR:N) but needs a precise SCTP handshake/state-machine race with queued data (AC:H); demonstrated impact is a kernel crash, so A:H with C/I:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:24 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.8 (CRITICAL)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: purge outqueue on stale COOKIE-ECHO handling

sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out_curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed.

However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk.

During the rollback, sctp_stream_update() frees the old stream table and installs a new one, but it does not invalidate stream->out_curr. As a result, out_curr may still point to a freed sctp_stream_out entry from the previous stream state.

Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out_curr->ext, which can lead to use-after-free once the old stream state has been released via sctp_stream_free().

This results in crashes such as (reported by Yuqi):

BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp_sched_fcfs_dequeue+0x13a/0x140 sctp_outq_flush+0x1603/0x33e0 sctp_do_sm+0x31c9/0x5d30 sctp_assoc_bh_rcv+0x392/0x6f0 sctp_inq_push+0x1db/0x270 sctp_rcv+0x138d/0x3c10

Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart.

Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.

AnalysisAI

Use-after-free in the Linux kernel SCTP stack (net/sctp) allows a remote peer to crash the kernel by forcing an association to roll back from COOKIE_ECHOED to COOKIE_WAIT via a Stale Cookie ERROR. When sctp_stream_update() rebuilds the stream table during this rollback it leaves the scheduler's cached stream->out_curr pointer referencing freed memory, so the next scheduler dequeue (FCFS/RR/PRIO) dereferences a dangling sctp_stream_out entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach host with SCTP socket
Delivery
Initiate SCTP association
Exploit
Advance to COOKIE_ECHOED with queued data
Install
Send Stale Cookie ERROR
C2
Rollback frees stream table, leaves dangling out_curr
Execute
Scheduler dequeue reads freed memory
Impact
Kernel use-after-free panic (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to have the SCTP protocol module loaded and an SCTP socket reachable by the attacker - SCTP is not enabled by default on most general-purpose deployments, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict sharply and should be reconciled before prioritizing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker able to act as (or spoof) the remote SCTP peer initiates an association to a target that has the SCTP module loaded and a listening SCTP socket, lets it reach COOKIE_ECHOED with user data queued/bundled, then sends a Stale Cookie ERROR to force a rollback to COOKIE_WAIT. The freed stream table leaves a dangling out_curr pointer that the scheduler dereferences on the next dequeue, panicking the kernel and denying service to all users of that host; no public PoC is known, and the timing/state requirements make this materially harder than a single crafted packet.
Remediation Vendor-released patch: upgrade to a fixed kernel point release - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or mainline 7.1, choosing the fixed release matching your branch - and reboot; the corresponding stable commits are at https://git.kernel.org/stable/c/3c0741a441a7df7099d7ca6a64a6a0de09c677c8 (and the sibling hashes listed in the references). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify Linux systems with SCTP enabled by checking process listings and network configuration for SCTP protocol usage. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy