CVE-2026-53225

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix uninit-value in sctp rcv asconf lookup()

sctp rcv asconf lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af->from addr param(), which reads the full address (16 bytes for IPv6) trusting the parameter's declared length.

An unauthenticated peer can send a truncated trailing ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header; reached from the no-association lookup path, from addr param() then reads uninitialized bytes past the parameter.

Impact: an unauthenticated SCTP peer makes the receive path read up to 16 bytes of uninitialized memory past a truncated ASCONF address parameter.

The sibling sctp rcv init lookup() bounds parameters with sctp walk params(); this path open-codes the fetch and omits the bound. Verify the whole address parameter lies within the chunk before from addr param() reads it, the same class of fix as commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp inq pop").