Skip to main content

Linux Kernel CVE-2026-52929

| EUVDEUVD-2026-38699 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-24 Linux GHSA-5j7v-37xj-7vhm
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote SCTP peer triggers a kernel NULL-deref crash without auth or interaction, yielding availability-only impact, hence A:H with C:N/I:N; AC:L matches the low-complexity packet sequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 08:25 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: stream: fully roll back denied add-stream state

When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed stream metadata behind, so a later re-add can reuse a stale ext and hit a null-pointer dereference in the scheduler get path.

Fix the rollback by tearing down the removed stream state the same way other stream resizes do. Unschedule the current scheduler state, drop the removed stream ext state with sctp_stream_outq_migrate(), and then reschedule the remaining streams.

This keeps scheduler-private RR/FC/PRIO lists consistent while fully rolling back denied outgoing stream additions.

AnalysisAI

Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish SCTP association with target
Delivery
Negotiate stream reconfiguration extension
Exploit
Send ADD_OUT_STREAMS request that is denied
Execution
Re-add stream reusing stale ext
Persist
Scheduler dereferences stale/NULL ext
Impact
Kernel panic / denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to have the Linux kernel SCTP module loaded and an SCTP association reachable by the attacker, plus the SCTP Stream Reconfiguration extension (RFC 6525) being usable so the attacker can drive an ADD_OUT_STREAMS request that the receiver denies, followed by a re-add that reuses the stale stream ext. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward a real but bounded availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can establish or already participates in an SCTP association with a target host negotiates the stream reconfiguration extension and sends an ADD_OUT_STREAMS request crafted to be denied, then issues a follow-up add that re-adds a stream whose stale ext state was never torn down. The scheduler get path dereferences the stale/NULL ext and the kernel crashes, producing a denial of service. …
Remediation Vendor-released patch: update to a fixed stable kernel - at minimum 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (and 7.1 mainline) - or your distribution's kernel build that incorporates the corresponding backport, then reboot to load it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production Linux systems with SCTP enabled and external network connectivity; assess criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy