Skip to main content

Linux Kernel EUVDEUVD-2026-39316

| CVE-2026-53225 CRITICAL
Use of Uninitialized Resource (CWE-908)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fj73-9fr6-g7mw
9.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
5.3 MEDIUM

Unauthenticated network-reachable SCTP path (AV:N/AC:L/PR:N/UI:N), but impact is a bounded ~16-byte uninitialized-memory read, so C:L with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:38 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
9.1 (CRITICAL)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
CRITICAL 9.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length.

An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter.

Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter.

The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

AnalysisAI

Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SCTP-enabled Linux host over network
Delivery
Craft ASCONF chunk with truncated IPv6 address parameter
Exploit
Send to no-association lookup path
Execution
from_addr_param() reads past chunk bound
Impact
Disclose up to 16 bytes uninitialized kernel memory

Vulnerability AssessmentAI

Exploitation Requires the target host to have the SCTP protocol stack active (the sctp module loaded or built in) and reachable from the attacker over the network; exploitation occurs on the no-association ('no-assoc') ASCONF lookup path, so no existing SCTP association or authentication is needed (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are conflicting and warrant a downward adjustment from the headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an SCTP-enabled Linux host sends a crafted SCTP packet containing an ASCONF chunk whose parameter header declares an IPv6 address but is truncated after the 4-byte header. Reaching the no-association lookup path, the kernel's from_addr_param() reads up to 16 bytes of uninitialized memory past the parameter, producing an information-disclosure / uninitialized-value condition. …
Remediation Apply the vendor-released kernel patch by upgrading to the fixed version for your stable series: 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or mainline 7.1 (commits at https://git.kernel.org/stable/c/446e0ecd845abc394b24ae2030a883572bec9d16 and siblings); reference the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-53225. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems with SCTP enabled (check lsmod | grep sctp); disable SCTP on non-dependent systems or apply the vendor-released kernel patch. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy