Skip to main content

Linux Kernel CVE-2026-53224

| EUVDEUVD-2026-39315 CRITICAL
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h634-6f45-j5wj
9.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

Remote unauthenticated COOKIE_ECHO trigger (AV:N/AC:L/PR:N/UI:N); out-of-bounds reads yield memory disclosure (C:H) and kernel crash (A:H) with no write primitive (I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:37 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.1 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: validate embedded INIT chunk and address list lengths in cookie

sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header.

A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads.

In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.

Fix this by:

  • requiring the embedded INIT chunk length to be at least sizeof(struct

sctp_init_chunk);

  • validating that the INIT chunk and raw address list together fit

within the cookie payload;

  • verifying sufficient data exists for each address parameter header and

payload before parsing it.

Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.

AnalysisAI

Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SCTP endpoint over network
Delivery
Initiate handshake to COOKIE_ECHO stage
Exploit
Send crafted cookie with truncated INIT/oversized addr list
Execution
sctp_process_init reads past cookie buffer
Impact
Leak kernel memory or panic host

Vulnerability AssessmentAI

Exploitation Exploitation requires the target host to have the SCTP module loaded and an SCTP endpoint reachable from the attacker, and the attacker must be able to drive the handshake to the COOKIE_ECHO stage and submit a crafted cookie containing a truncated embedded INIT chunk (length field < sizeof(struct sctp_init_chunk)). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can send SCTP traffic to a listening host crafts a COOKIE_ECHO chunk containing an embedded INIT chunk whose length field is smaller than a full INIT header (and, where cookie auth is disabled, an oversized raw_addr_list_len). When the kernel processes the cookie, sctp_process_init() and the address parser read beyond the cookie buffer, leaking adjacent kernel memory or panicking the system. …
Remediation Vendor-released patch: upgrade to Linux 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent that includes commits 512a9bb77c04, 6f4c80a2a7e6, and 7560afb8cddaf from git.kernel.org). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems with SCTP enabled and confirm patch availability from your distribution vendor. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy