CVE-2026-23125

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.0

Description A null pointer dereference issue was identified in the SCTP transmit path during SCTP-AUTH key initialization. This occurs when processing an INIT ACK, specifically if sctp auth asoc init active key() fails. The issue arises because asoc->shkey remains NULL while asoc->peer.auth capable and asoc->peer.peer chunks have already been set. This can lead to a DATA chunk with authentication enabled being queued, potentially causing a crash when transmitted alongside a COOKIE ECHO. The root cause is the order of command execution within the SCTP state machine. The fix involves moving the SCTP CMD ASSOC SHKEY command immediately after SCTP CMD PEER INIT to prevent authenticated DATA from being sent if shared key generation fails.

Recommendations Upgrade to Linux kernel version 6.6.0 or later.