Skip to main content

Linux Kernel EUVDEUVD-2026-32854

| CVE-2026-46227 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-rg55-jvw9-p7m7
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:09 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().

While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.

sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).

Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.

The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.

AnalysisAI

Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.

Technical ContextAI

The vulnerability lives in net/sctp/socket.c, in the SCTP_SENDALL handling of sctp_sendmsg(). The loop uses list_for_each_entry_safe() over ep->asocs, which caches the next list entry (@tmp) before each iteration. Inside the body, sctp_sendmsg_to_asoc() may invoke sctp_wait_for_sndbuf(), which drops the socket lock; during that window another thread can call SCTP_SOCKOPT_PEELOFF to migrate the cached association via sctp_sock_migrate() (list_del_init + list_add_tail to a different endpoint), or a softirq ABORT can free the association via kfree_rcu(). The current association (@asoc) is revalidated through sk and base.dead checks, but @tmp is not, so the loop can dereference freed memory or treat &newep->asocs (a list head) as a struct sctp_association - a classic CWE-416 use-after-free plus CWE-843 type confusion. The fix re-derives @tmp from @asoc after sctp_sendmsg_to_asoc() returns. The earlier commit ba59fb027307 covered only lock-held frees and did not anticipate the lock-dropping path introduced later.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.90, 6.18.32, 7.0.9, or 7.1-rc4 (or your distribution's backported kernel containing the fix commits 6187a172d6ed, c9dadb31f360, bf0f40d8107e, 1bfb06ecb00f, or abb5f36771cc, all available at https://git.kernel.org/stable/c/). On systems that cannot be patched immediately, the most effective compensating control is to disable SCTP entirely by blacklisting the sctp module (echo 'install sctp /bin/true' > /etc/modprobe.d/blacklist-sctp.conf and unload with rmmod sctp) - this fully eliminates the attack surface but will break any application that relies on SCTP transport (some telecom/SIGTRAN, Diameter, and clustering workloads). Where SCTP is required, restrict who can create SCTP sockets by removing local shell access for untrusted users and isolating multi-tenant workloads in separate kernels (VMs rather than shared containers), since the bug is reachable from CapEff=0 and unprivileged user namespaces do not gate it. Authoritative remediation references are listed at https://nvd.nist.gov/vuln/detail/CVE-2026-46227 and the five git.kernel.org commit URLs in the input.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32854 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy