CVE-2026-53246: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing When a listening SCTP server processes a COOKIE_ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp_process_init() using sctp_walk_params(). However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE_ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE_COOKIE processing and kmemdup() copies). Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE_ECHO buffer before it is used.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
An out-of-bounds read and potential memory corruption vulnerability exists in the Linux kernel's SCTP subsystem, specifically in how a listening server processes COOKIE_ECHO chunks. The flaw is reachable over the network with no authentication or user interaction required, as derived from the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation allows a remote attacker to read memory beyond intended boundaries and corrupt kernel memory, enabling full confidentiality loss, data tampering, and service disruption. Patched-image rebuilds at fix versions 6.18.36, 7.0.13, and 7.1 are available on HarborGuard for environments running affected kernel versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment - CVE-2026-53246 is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle affected Linux kernel versions. Any image whose kernel falls within the affected version ranges is flagged automatically.
AvailableHarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and surfaces it with that severity weighting in each customer's compliance policy context, applying any per-environment risk thresholds before routing the finding to the appropriate team inbox. No manual feed polling or score lookup is required on the customer side.
AvailableA patched-image rebuild at kernel versions 6.18.36, 7.0.13, or 7.1 becomes available through HarborGuard the moment an affected image is identified. For customers who opt into auto-remediation, HarborGuard triggers a rebuild using the fixed base, runs the configured regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the target's SCTP listener over the network; no prior foothold on the host is needed.
- AuthenticationNot required
No credentials or session tokens are needed; the malformed COOKIE_ECHO chunk can be sent by any unauthenticated remote peer.
- Victim interactionNot required
The vulnerable code path is triggered by a network packet alone; no action by a logged-in user or administrator is required.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- A successful attacker reads kernel memory contents beyond the intended SCTP buffer boundary, which can expose sensitive in-kernel data such as cryptographic material, session state, or adjacent heap contents.
- The out-of-bounds access during parameter handling and kmemdup copies allows an attacker to corrupt kernel memory, opening a path to arbitrary code execution at the kernel level.
- An attacker can crash the affected host by triggering memory corruption that destabilizes kernel data structures, causing a kernel panic and taking down all workloads on that node.
- Any data processed by or stored in the affected kernel, including container workloads sharing that host, is at risk of unauthorized read or modification.
How HarborGuard Handles This
Available on HarborGuard: images running Linux kernel versions in the affected ranges are matched against CVE-2026-53246 within minutes of the advisory entering upstream feeds, covering both distribution-packaged kernels and custom-built images. Where compliance policy permits, HarborGuard can trigger a base-image rebuild pinned to kernel 6.18.36, 7.0.13, or 7.1, run the configured regression suite against the rebuilt image, and open a pull request targeting affected workloads. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for Critical-severity issues is around 90 minutes. Customers who have not enabled auto-remediation receive a prioritized finding in their HarborGuard dashboard with fix-version guidance so their teams can act immediately. If your deployment cannot upgrade the kernel right away, consider applying a network policy that restricts SCTP traffic to trusted peers only, reducing the pool of hosts that can send malformed COOKIE_ECHO chunks to the affected listener.
Fix available
- Linux / Linux< cc272185c9a9a4b7febc2de52eeaa3d00f19091e (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < edccbf3d63b0a3362bc916ea72edacc1e1ca456a (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 0861615c28de668669d748ef4eb913ea9262d13b (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
- Linux / Linux2.6.12Fixed in 0, 6.18.36, 7.0.13, 7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H