How is CVE-2026-53224 exploited?

Network reachability (required): The attacker must reach the target's SCTP service over the network; no prior presence on the host is needed. Authentication (not-required): No credentials or account are required; the malformed packet can be sent by any unauthenticated network peer. Victim interaction (not-required): No user action is required; the vulnerability is triggered entirely by the attacker sending a crafted packet. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions, memory layout guessing, or special environmental state is required.

What is the impact of CVE-2026-53224?

Reads arbitrary kernel memory contents from the SCTP cookie buffer region, which may include sensitive data from other kernel structures or processes. Crashes the affected kernel (denial of service) by triggering an out-of-bounds memory access during SCTP cookie processing, taking down any workloads running on that host. On container hosts, a kernel crash affects all containers sharing that kernel, not just the one processing SCTP traffic. Where cookie authentication is disabled, the address-list parser can be driven to read significantly beyond the cookie boundary, widening the window of exposed memory.

Back to search

CRITICALCVE-2026-53224Published 2026-06-25Modified 2026-06-28CNA Linux

CVE-2026-53224: sctp: validate embedded INIT chunk and address list lengths in cookie

In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header. A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads. In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads. Fix this by: - requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk); - validating that the INIT chunk and raw address list together fit within the cookie payload; - verifying sufficient data exists for each address parameter header and payload before parsing it. Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

This is an out-of-bounds read vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. A remote attacker with no authentication can send a malformed COOKIE_ECHO packet containing a truncated INIT chunk or an oversized address list length, triggering reads beyond the bounds of the cookie payload buffer. Successful exploitation exposes sensitive kernel memory contents and can crash the affected system. Patched-image rebuilds at fix versions 6.18.36 and 7.0.13 (and the corresponding commit SHAs for other stable branches) are available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-53224 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle affected kernel versions.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and weights it against each environment's configured compliance policy, escalating findings according to severity thresholds. Triage results are routed to the appropriate team inbox within each customer organization based on their notification and ownership rules.

Available

Patch

A patched-image rebuild targeting the applicable fix versions (6.18.36, 7.0.13, or the relevant commit SHAs for other branches) becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target's SCTP service over the network; no prior presence on the host is needed.
AuthenticationNot required
No credentials or account are required; the malformed packet can be sent by any unauthenticated network peer.
Victim interactionNot required
No user action is required; the vulnerability is triggered entirely by the attacker sending a crafted packet.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions, memory layout guessing, or special environmental state is required.

Blast Radius

Reads arbitrary kernel memory contents from the SCTP cookie buffer region, which may include sensitive data from other kernel structures or processes.
Crashes the affected kernel (denial of service) by triggering an out-of-bounds memory access during SCTP cookie processing, taking down any workloads running on that host.
On container hosts, a kernel crash affects all containers sharing that kernel, not just the one processing SCTP traffic.
Where cookie authentication is disabled, the address-list parser can be driven to read significantly beyond the cookie boundary, widening the window of exposed memory.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53224 is active across all connected registries and pipelines the moment the CVE was published. For environments running affected Linux kernel versions, a patched-image rebuild at 6.18.36, 7.0.13, or the relevant commit-pinned stable branch is available now. Where compliance policy permits auto-remediation, HarborGuard will rebuild the image, execute the configured regression tests, and open a pull request against the affected workload repository; for critical-severity CVEs, the median time from publication to merged PR is approximately 90 minutes in auto-remediation-enabled environments. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with the fix version pre-populated so engineers can act immediately. As a compensating control prior to patching, consider applying network policy rules to restrict SCTP traffic to trusted peers only, reducing the pool of hosts that can deliver malformed COOKIE_ECHO packets to vulnerable endpoints.

See how HarborGuard automates this

Fix available

0512a9bb77c04ac9927648ea58af617e472be96e66.18.366f4c80a2a7e6d06753b89a578b710a2499a5e62b7.0.137.17560afb8cddafd829e709d7ea09230e45a825557

Affected packages

Linux / Linux
< 7560afb8cddafd829e709d7ea09230e45a825557 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 512a9bb77c04ac9927648ea58af617e472be96e6 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 6f4c80a2a7e6d06753b89a578b710a2499a5e62b (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
Linux / Linux
2.6.12
Fixed in 0, 6.18.36, 7.0.13, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available