Skip to main content

Linux Kernel EUVDEUVD-2026-38720

| CVE-2026-52917 HIGH
Out-of-bounds Read (CWE-125)
2026-06-24 Linux GHSA-fcw9-vwjp-9j4v
7.1
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
6.3 MEDIUM

Local sock_diag access (AV:L, PR:L), a narrow teardown race raises AC:H; OOB kernel read gives C:H and likely panic gives A:H, with no integrity impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 10:34 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 24, 2026 - 09:16 EUVD
CVE Published
Jun 24, 2026 - 07:14 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 07:14 cve.org
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: diag: reject stale associations in dump_one path

The SCTP exact sock_diag lookup can hold a transport reference, block on lock_sock(sk), and then resume after sctp_association_free() has marked the association dead and freed its bind address list.

When that happens, inet_assoc_attr_size() and inet_diag_msg_sctpasoc_fill() can still dereference association state that is no longer valid for reporting. In particular, inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a real sctp_sockaddr_entry and trigger an out-of-bounds read from unrelated association memory.

Reject the association after taking the socket lock if it has been reaped or detached from the endpoint, and report the lookup as stale. This keeps the exact dump-one path from formatting torn association state.

AnalysisAI

Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access with sock_diag query capability
Delivery
Create and tear down SCTP associations
Exploit
Issue exact dump-one diag lookup, block on lock_sock()
Execution
Resume after association reaped/freed
Persist
Read freed bind-address list out-of-bounds
Impact
Leak kernel memory or crash system

Vulnerability AssessmentAI

Exploitation Requires local access to a host running an unpatched, SCTP-enabled Linux kernel, plus the ability to issue exact (dump-one) SCTP sock_diag lookups over NETLINK_SOCK_DIAG and to concurrently create and tear down SCTP associations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent in pointing to a moderate, local-only risk rather than an urgent priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with the ability to create SCTP associations and run an SCTP sock_diag query repeatedly issues exact dump-one lookups while concurrently tearing down associations, timing the diag call so it blocks on lock_sock() exactly as sctp_association_free() reaps the association. On a winning race, inet_diag_msg_sctpasoc_fill() walks the freed bind-address list and leaks adjacent kernel memory into the netlink reply or panics the kernel. …
Remediation Vendor-released patch: update to a fixed stable kernel - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) on the matching branch, applied via your distribution's kernel update channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Linux systems with SCTP enabled (verify via 'grep SCTP /boot/config-$(uname -r)' or 'lsmod | grep sctp') and document current kernel versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy