CVE-2026-53246

In the Linux kernel, the following vulnerability has been resolved:

sctp: validate cached peer INIT chunk length in COOKIE ECHO processing

When a listening SCTP server processes a COOKIE ECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked by sctp process init() using sctp walk params().

However, the chunk header length of this cached INIT chunk was not validated against the remaining buffer in the COOKIE ECHO payload. If the length field is inflated, the parameter walk can run beyond the actual received data, leading to out-of-bounds reads and potential memory corruption during later parameter handling (e.g. STATE COOKIE processing and kmemdup() copies).

Add a bounds check in sctp unpack cookie() to ensure the cached INIT chunk length does not exceed the available data in the COOKIE ECHO buffer before it is used.