{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-53246: sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-53246","status":"final","version":"1","initial_release_date":"2026-06-25T08:39:39.896Z","current_release_date":"2026-06-28T06:40:52.380Z","revision_history":[{"date":"2026-06-25T08:39:39.896Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: validate cached peer INIT chunk length in COOKIE_ECHO processing\n\nWhen a listening SCTP server processes a COOKIE_ECHO chunk, the cached\npeer INIT chunk embedded after the cookie is parsed and its parameters\nare later walked by sctp_process_init() using sctp_walk_params().\n\nHowever, the chunk header length of this cached INIT chunk was not\nvalidated against the remaining buffer in the COOKIE_ECHO payload. If\nthe length field is inflated, the parameter walk can run beyond the\nactual received data, leading to out-of-bounds reads and potential\nmemory corruption during later parameter handling (e.g. STATE_COOKIE\nprocessing and kmemdup() copies).\n\nAdd a bounds check in sctp_unpack_cookie() to ensure the cached INIT\nchunk length does not exceed the available data in the COOKIE_ECHO\nbuffer before it is used.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-53246 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-53246"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-53246"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/cc272185c9a9a4b7febc2de52eeaa3d00f19091e"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/edccbf3d63b0a3362bc916ea72edacc1e1ca456a"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/0861615c28de668669d748ef4eb913ea9262d13b"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 =1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 =1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 =1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 =1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <0861615c28de668669d748ef4eb913ea9262d13b","product":{"name":"Linux Linux >=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 <0861615c28de668669d748ef4eb913ea9262d13b","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"2.6.12","product":{"name":"Linux Linux 2.6.12","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:2.6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:2.6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.36","product":{"name":"Linux Linux 6.18.36","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:2.6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.13","product":{"name":"Linux Linux 7.0.13","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:2.6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1","product":{"name":"Linux Linux 7.1","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:2.6.12:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-53246","title":"sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: validate cached peer INIT chunk length in COOKIE_ECHO processing\n\nWhen a listening SCTP server processes a COOKIE_ECHO chunk, the cached\npeer INIT chunk embedded after the cookie is parsed and its parameters\nare later walked by sctp_process_init() using sctp_walk_params().\n\nHowever, the chunk header length of this cached INIT chunk was not\nvalidated against the remaining buffer in the COOKIE_ECHO payload. If\nthe length field is inflated, the parameter walk can run beyond the\nactual received data, leading to out-of-bounds reads and potential\nmemory corruption during later parameter handling (e.g. STATE_COOKIE\nprocessing and kmemdup() copies).\n\nAdd a bounds check in sctp_unpack_cookie() to ensure the cached INIT\nchunk length does not exceed the available data in the COOKIE_ECHO\nbuffer before it is used.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"],"fixed":["CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 0861615c28de668669d748ef4eb913ea9262d13b, 6.18.36, 7.0.13, 7.1, cc272185c9a9a4b7febc2de52eeaa3d00f19091e, edccbf3d63b0a3362bc916ea72edacc1e1ca456a.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}