How is CVE-2026-53225 exploited?

Network reachability (required): The vulnerable code path is reachable over the network; an attacker must be able to send SCTP packets to an exposed port on the target host. Authentication (not-required): No authentication or existing association is needed; the flaw is reachable via the no-association lookup path, meaning any unauthenticated remote peer can trigger it. Victim interaction (not-required): No user or operator action is required; the attacker sends a crafted ASCONF chunk and the kernel processes it passively. Attack complexity (info): Attack complexity is low; the exploit requires only sending a single malformed SCTP chunk with no race conditions or special environmental conditions to satisfy.

What is the impact of CVE-2026-53225?

An attacker reads up to 16 bytes of uninitialized kernel memory past the truncated ASCONF address parameter, which may contain sensitive in-memory data such as kernel pointers, stack canaries, or adjacent packet buffer contents. Leaked kernel memory contents can undermine address-space layout randomization (ASLR) and related mitigations, weakening the host against follow-on exploitation. The flaw can disrupt normal SCTP receive-path processing, degrading or crashing SCTP-dependent services on the host.

Back to search

CRITICALCVE-2026-53225Published 2026-06-25Modified 2026-06-28CNA Linux

CVE-2026-53225: sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from_addr_param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length. An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from_addr_param() then reads uninitialized bytes past the parameter. Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter. The sibling __sctp_rcv_init_lookup() bounds parameters with sctp_walk_params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from_addr_param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

An uninitialized-memory read vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) network stack, specifically in the __sctp_rcv_asconf_lookup() function. The flaw is reachable over the network without any authentication: a remote peer can send a malformed ASCONF chunk that causes the kernel to read up to 16 bytes of uninitialized memory beyond the end of the truncated packet. Successful exploitation leaks kernel memory contents to the attacker and can disrupt service availability. Patched-image rebuilds at the fix versions (5.10.259, 5.15.210, 6.1.176, and the upstream commit) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53225 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected kernel versions. Any image whose kernel lineage falls within the affected version ranges is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) using the published v3.1 vector and surfaces it as a priority finding in each customer's triage queue. Per-environment compliance policy weighting is applied so that findings are routed to the correct team inbox inside each customer organization based on severity thresholds and asset classification.

Available

Patch

A patched-image rebuild at the fix versions (5.10.259, 5.15.210, 6.1.176, or the upstream commit hash) becomes available on HarborGuard once the base image incorporating the fix is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network; an attacker must be able to send SCTP packets to an exposed port on the target host.
AuthenticationNot required
No authentication or existing association is needed; the flaw is reachable via the no-association lookup path, meaning any unauthenticated remote peer can trigger it.
Victim interactionNot required
No user or operator action is required; the attacker sends a crafted ASCONF chunk and the kernel processes it passively.
Attack complexityDetail
Attack complexity is low; the exploit requires only sending a single malformed SCTP chunk with no race conditions or special environmental conditions to satisfy.

Blast Radius

An attacker reads up to 16 bytes of uninitialized kernel memory past the truncated ASCONF address parameter, which may contain sensitive in-memory data such as kernel pointers, stack canaries, or adjacent packet buffer contents.
Leaked kernel memory contents can undermine address-space layout randomization (ASLR) and related mitigations, weakening the host against follow-on exploitation.
The flaw can disrupt normal SCTP receive-path processing, degrading or crashing SCTP-dependent services on the host.

How HarborGuard Handles This

Available on HarborGuard: this Critical-severity CVE is matched against customer images within minutes of publication. Where compliance policy permits auto-remediation, HarborGuard rebuilds affected images at the patched kernel versions (5.10.259, 5.15.210, 6.1.176, or the upstream commit 446e0ecd845a), runs a regression test pass, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that manage patching manually, HarborGuard flags every affected image in the registry and pipeline views with remediation version guidance. Because this flaw is exposed on any host accepting SCTP traffic from untrusted peers, customers should also consider applying kernel network policy rules to restrict SCTP access (port 132) to known peers as a compensating control until the patched image is promoted to production.

See how HarborGuard automates this

Fix available

0446e0ecd845abc394b24ae2030a883572bec9d165.10.2595.15.2106.1.1766.6.1436.12.946.18.367.0.137.18ce96f1182644079249a24ac7e2ffc32e0301a468e86817b8af4d552f3c6fe04ca52bb0c8c57411d928dd94db23e8ba340f83d68f7f24d831b7a4426d6bd0bb7697ea8c0387b0d9d973453f479017b23d796cfd06074b579d265b28401306cadd30db945f76a8b323e28e0951f979dbef20a7496383c47dff8373d7090b745728de66308deeecc67e8d319ce

Affected packages

Linux / Linux
< 446e0ecd845abc394b24ae2030a883572bec9d16 (from df21857714398acb8b24a8bb5a6d2286dd9c59ef) · < 928dd94db23e8ba340f83d68f7f24d831b7a4426 (from df21857714398acb8b24a8bb5a6d2286dd9c59ef) · < d796cfd06074b579d265b28401306cadd30db945 (from df21857714398acb8b24a8bb5a6d2286dd9c59ef) · < 8ce96f1182644079249a24ac7e2ffc32e0301a46 (from df21857714398acb8b24a8bb5a6d2286dd9c59ef) · < d6bd0bb7697ea8c0387b0d9d973453f479017b23 (from df21857714398acb8b24a8bb5a6d2286dd9c59ef) · < f76a8b323e28e0951f979dbef20a7496383c47df (from df21857714398acb8b24a8bb5a6d2286dd9c59ef)
Linux / Linux
2.6.25
Fixed in 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available