Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Unauthenticated network-reachable SCTP path (AV:N/AC:L/PR:N/UI:N), but impact is a bounded ~16-byte uninitialized-memory read, so C:L with no integrity or availability impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length.
An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter.
Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter.
The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
AnalysisAI
Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target host to have the SCTP protocol stack active (the sctp module loaded or built in) and reachable from the attacker over the network; exploitation occurs on the no-association ('no-assoc') ASCONF lookup path, so no existing SCTP association or authentication is needed (PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are conflicting and warrant a downward adjustment from the headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to an SCTP-enabled Linux host sends a crafted SCTP packet containing an ASCONF chunk whose parameter header declares an IPv6 address but is truncated after the 4-byte header. Reaching the no-association lookup path, the kernel's from_addr_param() reads up to 16 bytes of uninitialized memory past the parameter, producing an information-disclosure / uninitialized-value condition. … |
| Remediation | Apply the vendor-released kernel patch by upgrading to the fixed version for your stable series: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (commits at https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16 and siblings); reference the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-53225. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify systems with SCTP enabled (check lsmod | grep sctp); disable SCTP on non-dependent systems or apply the vendor-released kernel patch. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39316
GHSA-fj73-9fr6-g7mw