Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Remote unauthenticated COOKIE_ECHO trigger (AV:N/AC:L/PR:N/UI:N); out-of-bounds reads yield memory disclosure (C:H) and kernel crash (A:H) with no write primitive (I:N).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
sctp: validate embedded INIT chunk and address list lengths in cookie
sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header.
A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads.
In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.
Fix this by:
- requiring the embedded INIT chunk length to be at least sizeof(struct
sctp_init_chunk);
- validating that the INIT chunk and raw address list together fit
within the cookie payload;
- verifying sufficient data exists for each address parameter header and
payload before parsing it.
Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.
AnalysisAI
Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target host to have the SCTP module loaded and an SCTP endpoint reachable from the attacker, and the attacker must be able to drive the handshake to the COOKIE_ECHO stage and submit a crafted cookie containing a truncated embedded INIT chunk (length field < sizeof(struct sctp_init_chunk)). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can send SCTP traffic to a listening host crafts a COOKIE_ECHO chunk containing an embedded INIT chunk whose length field is smaller than a full INIT header (and, where cookie auth is disabled, an oversized raw_addr_list_len). When the kernel processes the cookie, sctp_process_init() and the address parser read beyond the cookie buffer, leaking adjacent kernel memory or panicking the system. … |
| Remediation | Vendor-released patch: upgrade to Linux 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent that includes commits 512a9bb77c04, 6f4c80a2a7e6, and 7560afb8cddaf from git.kernel.org). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems with SCTP enabled and confirm patch availability from your distribution vendor. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39315
GHSA-h634-6f45-j5wj