Skip to main content

Linux Kernel CVE-2026-53004

| EUVDEUVD-2026-38872 HIGH
Out-of-bounds Write (CWE-787)
2026-06-24 Linux GHSA-79rv-wg4r-99gp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.3 LOW

Local unprivileged getsockopt call writes only 8 peer-controlled bytes into the caller's own userspace, giving no confidentiality leak and no availability loss, so integrity impact is Low.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 20:51 vuln.today
CVSS changed
Jul 14, 2026 - 20:07 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks

sctp_getsockopt_peer_auth_chunks() checks that the caller's optval buffer is large enough for the peer AUTH chunk list with

if (len < num_chunks) return -EINVAL;

but then writes num_chunks bytes to p->gauth_chunks, which lives at offset offsetof(struct sctp_authchunks, gauth_chunks) 8 inside optval. The check is missing the sizeof(struct sctp_authchunks) = 8-byte header. When the caller supplies len num_chunks (for any num_chunks > 0) the test passes but copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes past the declared buffer.

The sibling function sctp_getsockopt_local_auth_chunks() at the next line already has the correct check:

if (len < sizeof(struct sctp_authchunks) + num_chunks) return -EINVAL;

Align the peer variant with its sibling.

Reproducer confirms on v7.0-13-generic: an unprivileged userspace caller that opens a loopback SCTP association with AUTH enabled, queries num_chunks with a short optval, then issues the real getsockopt with len == num_chunks and sentinel bytes painted past the buffer observes those sentinel bytes overwritten with the peer's AUTH chunk type. The bytes written are under the peer's control but land in the caller's own userspace; this is not a kernel memory corruption, but it is a kernel-side contract violation that can silently corrupt adjacent userspace data.

AnalysisAI

Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open local SCTP socket with AUTH
Delivery
Establish peer/loopback association
Exploit
getsockopt to read num_chunks
Execution
Re-call with optlen == num_chunks
Persist
copy_to_user overruns 8-byte header
Impact
Adjacent caller userspace data corrupted

Vulnerability AssessmentAI

Exploitation The kernel must have SCTP support enabled (CONFIG_IP_SCTP loaded) and an established SCTP association with the AUTH extension negotiated (a loopback association suffices). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N, C:H/I:H/A:H) substantially overstates real-world impact and conflicts with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a host with SCTP AUTH enabled opens a loopback SCTP association, calls getsockopt(SCTP_PEER_AUTH_CHUNKS) once to learn num_chunks, then re-issues the call with the buffer sized exactly to num_chunks and sentinel bytes placed immediately after it. The kernel's flawed length check passes and copy_to_user() overwrites 8 sentinel bytes past the buffer with the peer-controlled AUTH chunk header, silently corrupting adjacent data in the caller's own address space. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's equivalent backport), per EUVD-2026-38872 and the kernel.org stable commits (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify systems running v7.0-13-generic or earlier kernel versions and confirm whether SCTP is enabled in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy