Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated over SCTP so AV:N/AC:L/PR:N, but reliable impact is OOB read and crash (A:H), with corruption only 'potential' so C:L/I:L rather than H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params().
However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies).
Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.
AnalysisAI
Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target host to have the SCTP module loaded and an SCTP server actively listening/accepting associations - this is the decisive prerequisite and is non-default on most Linux systems. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reachable to an SCTP listening service (no prior authentication or association needed) completes enough of the handshake to send a COOKIE_ECHO chunk containing a cached INIT chunk with a deliberately inflated header length. When the server unpacks the cookie and walks the INIT parameters, the kernel reads beyond the received buffer, crashing the host or potentially corrupting heap memory during STATE_COOKIE processing and kmemdup() copies. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.18.36, 7.0.13, or 7.1 or later - or apply your distribution's backport of stable commits 0861615c28de, cc272185c9a9, or edccbf3d63b0 (https://git.kernel.org/stable/c/0861615c28de668669d748ef4eb913ea9262d13b and the two sibling commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running SCTP services (check production dependencies in telecom/messaging teams). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39197
GHSA-48jv-x8c6-486c