CVE-2026-52924

In the Linux kernel, the following vulnerability has been resolved:

sctp: purge outqueue on stale COOKIE-ECHO handling

sctp stream update() is only invoked when the association is moved into COOKIE WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed.

However, a corner case exists in sctp sf do 5 2 6 stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE ECHOED to COOKIE WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk.

During the rollback, sctp stream update() frees the old stream table and installs a new one, but it does not invalidate stream->out curr. As a result, out curr may still point to a freed sctp stream out entry from the previous stream state.

Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out curr->ext, which can lead to use-after-free once the old stream state has been released via sctp stream free().

This results in crashes such as (reported by Yuqi):

BUG: KASAN: slab-use-after-free in sctp sched fcfs dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp sched fcfs dequeue+0x13a/0x140 sctp outq flush+0x1603/0x33e0 sctp do sm+0x31c9/0x5d30 sctp assoc bh rcv+0x392/0x6f0 sctp inq push+0x1db/0x270 sctp rcv+0x138d/0x3c10

Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE WAIT restart.

Updating only stream->out curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.