HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52924Published Modified CNA Linux

CVE-2026-52924: sctp: purge outqueue on stale COOKIE-ECHO handling

In the Linux kernel, the following vulnerability has been resolved: sctp: purge outqueue on stale COOKIE-ECHO handling sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out_curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed. However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk. During the rollback, sctp_stream_update() frees the old stream table and installs a new one, but it does not invalidate stream->out_curr. As a result, out_curr may still point to a freed sctp_stream_out entry from the previous stream state. Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out_curr->ext, which can lead to use-after-free once the old stream state has been released via sctp_stream_free(). This results in crashes such as (reported by Yuqi): BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp_sched_fcfs_dequeue+0x13a/0x140 sctp_outq_flush+0x1603/0x33e0 sctp_do_sm+0x31c9/0x5d30 sctp_assoc_bh_rcv+0x392/0x6f0 sctp_inq_push+0x1db/0x270 sctp_rcv+0x138d/0x3c10 Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart. Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) subsystem, specifically in the handling of stale COOKIE-ECHO rollback. The flaw is reachable over the network without any authentication or user interaction, as SCTP control packets can trigger the vulnerable code path from a remote peer. Successful exploitation gives an attacker full read, write, and crash capability over the affected host, including arbitrary code execution in kernel context. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package affected Linux kernel versions. Any image whose kernel version falls within the affected range is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and weights that score against each environment's compliance policy to prioritize routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to the fix commits (including stable branch 5.10.259) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target's SCTP service over the network; a remote peer can send a crafted Stale Cookie ERROR packet to trigger the rollback path.

  • AuthenticationNot required

    No credentials or session token are needed; the vulnerable code path is exercised during the SCTP association handshake before any authentication is established.

  • Victim interactionNot required

    No user or administrator action is required; the kernel processes the malicious SCTP packet autonomously in the receive path.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free, requiring only the ability to send a crafted SCTP COOKIE-ECHO sequence to the target.

Blast Radius

  • Reads arbitrary kernel memory, exposing credentials, cryptographic keys, and other sensitive data held in kernel slab allocations.
  • Writes to freed kernel memory (use-after-free), enabling overwrite of kernel data structures and potentially achieving arbitrary code execution in kernel context.
  • Crashes the affected host outright via a KASAN slab-use-after-free fault in the SCTP scheduler dequeue path, causing a full system denial of service.
  • Any container or workload co-located on the affected kernel shares the blast radius, since kernel memory is not isolated per container.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images in connected registries and pipelines, with no manual configuration required. Because this is a kernel-level use-after-free rated 9.8 CRITICAL, it is surfaced at the top of each affected environment's finding queue and weighted against compliance policy before routing. For customers who opt into auto-remediation, a rebuilt image at the patched kernel version is produced, a regression test run is executed, and a PR is opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with recommended actions including restricting SCTP port exposure via network policy, applying egress filtering to limit peer reachability, and prioritizing a manual kernel upgrade to the fix commits listed in the advisory.

See how HarborGuard automates this

Fix available

01d4652f677906a64487c13f9ace54b0eb263b5d02afc9e684dc7fecf73db1edc937ebbc47b4b68dc3c0741a441a7df7099d7ca6a64a6a0de09c677c85.10.2595.15.2106.1.1766.6.1436.12.946.18.367.0.137.183ade59e5da365f4bf8bce72c5a38774202b442f84b7a319105db2f917ccdcf502bdc866082b1285a6207349e703cfc04756a4d16dec9176135813a5e374b22e9b07b72a25909621464ff74096151bfbf46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8
Affected packages
  • Linux / Linux
    < 84b7a319105db2f917ccdcf502bdc866082b1285 (from 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51) · < f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8 (from 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51) · < 3c0741a441a7df7099d7ca6a64a6a0de09c677c8 (from 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51) · < 2afc9e684dc7fecf73db1edc937ebbc47b4b68dc (from 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51) · < 1d4652f677906a64487c13f9ace54b0eb263b5d0 (from 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51) · < a6207349e703cfc04756a4d16dec9176135813a5 (from 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51)
  • Linux / Linux
    4.15
    Fixed in 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References