Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote SCTP peer triggers a kernel NULL-deref crash without auth or interaction, yielding availability-only impact, hence A:H with C:N/I:N; AC:L matches the low-complexity packet sequence.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
sctp: stream: fully roll back denied add-stream state
When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed stream metadata behind, so a later re-add can reuse a stale ext and hit a null-pointer dereference in the scheduler get path.
Fix the rollback by tearing down the removed stream state the same way other stream resizes do. Unschedule the current scheduler state, drop the removed stream ext state with sctp_stream_outq_migrate(), and then reschedule the remaining streams.
This keeps scheduler-private RR/FC/PRIO lists consistent while fully rolling back denied outgoing stream additions.
AnalysisAI
Remote denial-of-service in the Linux kernel SCTP stack arises from incomplete rollback when an ADD_OUT_STREAMS (add outgoing streams) reconfiguration request is denied; the kernel shrinks queued chunks and lowers outcnt but leaves stale stream metadata behind, so a later stream re-add reuses a freed/stale 'ext' object and triggers a NULL-pointer dereference in the scheduler get path. Any remote SCTP peer that can negotiate stream reconfiguration on an established association can crash the host, with no authentication or user interaction required per the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to have the Linux kernel SCTP module loaded and an SCTP association reachable by the attacker, plus the SCTP Stream Reconfiguration extension (RFC 6525) being usable so the attacker can drive an ADD_OUT_STREAMS request that the receiver denies, followed by a re-add that reuses the stale stream ext. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent toward a real but bounded availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can establish or already participates in an SCTP association with a target host negotiates the stream reconfiguration extension and sends an ADD_OUT_STREAMS request crafted to be denied, then issues a follow-up add that re-adds a stream whose stale ext state was never torn down. The scheduler get path dereferences the stale/NULL ext and the kernel crashes, producing a denial of service. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - at minimum 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (and 7.1 mainline) - or your distribution's kernel build that incorporates the corresponding backport, then reboot to load it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all production Linux systems with SCTP enabled and external network connectivity; assess criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38699
GHSA-5j7v-37xj-7vhm