Michal Tesar

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is caused by a transport use-after-free problem in the Linux kernel's SCTP implementation. When processing a duplicate COOKIE-ECHO chunk in `sctp sf do dupcook a()`, both COOKIE-ACK and SHUTDOWN chunks are allocated with the transport from the new association. However, later in the side-effect machine, the old association is used to send them out, and the old association's `shutdown last sent to` is set to the transport that the SHUTDOWN chunk is attached to in `sctp cmd setup t2()`, which actually belongs to the new association. After the new association is freed and the old association's T2 timeout, the old association's `shutdown last sent to` that is already freed would be accessed in `sctp sf t2 timer expire()`. This results in a panic. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.