Skip to main content

illumos EUVDEUVD-2026-45014

| CVE-2026-15422 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-07-16 illumos GHSA-7fj7-gprr-x7fm
9.1
CVSS 4.0 · Vendor: illumos
Share

Severity by source

Vendor (illumos) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red
vuln.today AI
8.1 HIGH

Remote unauthenticated packet reaches the lookup before any auth (AV:N/PR:N/UI:N); reliable kernel-heap RCE needs grooming so AC:H, while kernel compromise yields full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (illumos).

CVSS VectorVendor: illumos

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 20:17 vuln.today
Analysis Generated
Jul 16, 2026 - 20:17 vuln.today
CVE Published
Jul 16, 2026 - 19:29 cve.org
CRITICAL 9.1

DescriptionCVE.org

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

AnalysisAI

Remote kernel heap corruption in the illumos SCTP stack lets an unauthenticated attacker send a crafted INIT ACK packet with malformed address parameters to trigger an out-of-bounds access during packet classification, potentially leading to remote code execution or a kernel panic. The flaw affects illumos-gate and downstream distributions (OmniOS, SmartOS/Triton) built before commit 53a3efde, and has existed since 2010 (commit a5407c02). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SCTP-enabled illumos host
Delivery
Send crafted INIT ACK packet
Exploit
Malformed address params bypass size-only checks
Execution
Out-of-bounds access in association lookup
Persist
Corrupt kernel heap
Impact
Panic or execute code as kernel

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target illumos host has the SCTP stack active and reachable such that inbound SCTP packets are processed; the attacker sends an INIT ACK chunk containing address parameters with malformed sph_len values (IPv4 parameter length not equal to 8 bytes, or IPv6 not equal to 20 bytes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue but with important caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network sends a single crafted SCTP INIT ACK packet whose embedded IPv4 or IPv6 address parameters carry malformed length fields to a target illumos host. Because the association lookup parses these parameters during packet classification - before SCTP integrity checks or IPsec policy are applied - the malformed data drives an out-of-bounds heap access, corrupting kernel memory to cause a panic or, with careful heap grooming, arbitrary code execution. …
Remediation Upstream fix available (commit; released patched version not independently confirmed): apply illumos-gate commit 53a3efde (https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75) by upgrading to a distribution build that includes it - OmniOS and SmartOS/Triton users should pull the corresponding rebuilt platform image or kernel package from their vendor once it carries this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running illumos-gate, OmniOS, or SmartOS/Triton built before commit 53a3efde. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy