PT-2026-52319 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53224
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
sctp: validate embedded INIT chunk and address list lengths in cookie
sctp unpack cookie() only checked that the embedded INIT chunk length
did not exceed the remaining cookie payload, but did not ensure that the
INIT chunk is large enough to contain a complete INIT header.
A malformed COOKIE ECHO can therefore carry a truncated INIT chunk whose
length field is smaller than sizeof(struct sctp init chunk). Later,
sctp process init() accesses INIT parameters unconditionally, which may
lead to out-of-bounds reads.
In addition, raw addr list len is not fully validated against the
remaining cookie payload. When cookie authentication is disabled, an
attacker can supply an oversized raw addr list len and cause
sctp raw to bind addrs() to read beyond the end of the cookie. The
address parser also lacks sufficient bounds checks for parameter headers
and lengths, allowing malformed address parameters to trigger
out-of-bounds reads.
Fix this by:
- requiring the embedded INIT chunk length to be at least sizeof(struct sctp init chunk);
- validating that the INIT chunk and raw address list together fit within the cookie payload;
- verifying sufficient data exists for each address parameter header and payload before parsing it.
Note that sctp verify init() must be called after sctp unpack cookie()
and before sctp process init() when cookie authentication is disabled.
This will be addressed in a separate patch.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux