Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local unprivileged getsockopt call writes only 8 peer-controlled bytes into the caller's own userspace, giving no confidentiality leak and no availability loss, so integrity impact is Low.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
sctp_getsockopt_peer_auth_chunks() checks that the caller's optval buffer is large enough for the peer AUTH chunk list with
if (len < num_chunks) return -EINVAL;
but then writes num_chunks bytes to p->gauth_chunks, which lives at offset offsetof(struct sctp_authchunks, gauth_chunks) 8 inside optval. The check is missing the sizeof(struct sctp_authchunks) = 8-byte header. When the caller supplies len num_chunks (for any num_chunks > 0) the test passes but copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes past the declared buffer.
The sibling function sctp_getsockopt_local_auth_chunks() at the next line already has the correct check:
if (len < sizeof(struct sctp_authchunks) + num_chunks) return -EINVAL;
Align the peer variant with its sibling.
Reproducer confirms on v7.0-13-generic: an unprivileged userspace caller that opens a loopback SCTP association with AUTH enabled, queries num_chunks with a short optval, then issues the real getsockopt with len == num_chunks and sentinel bytes painted past the buffer observes those sentinel bytes overwritten with the peer's AUTH chunk type. The bytes written are under the peer's control but land in the caller's own userspace; this is not a kernel memory corruption, but it is a kernel-side contract violation that can silently corrupt adjacent userspace data.
AnalysisAI
Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The kernel must have SCTP support enabled (CONFIG_IP_SCTP loaded) and an established SCTP association with the AUTH extension negotiated (a loopback association suffices). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N, C:H/I:H/A:H) substantially overstates real-world impact and conflicts with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local unprivileged user on a host with SCTP AUTH enabled opens a loopback SCTP association, calls getsockopt(SCTP_PEER_AUTH_CHUNKS) once to learn num_chunks, then re-issues the call with the buffer sized exactly to num_chunks and sentinel bytes placed immediately after it. The kernel's flawed length check passes and copy_to_user() overwrites 8 sentinel bytes past the buffer with the peer-controlled AUTH chunk header, silently corrupting adjacent data in the caller's own address space. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's equivalent backport), per EUVD-2026-38872 and the kernel.org stable commits (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify systems running v7.0-13-generic or earlier kernel versions and confirm whether SCTP is enabled in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38872
GHSA-79rv-wg4r-99gp