CVE-2026-46227 (GCVE-0-2026-46227)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-05-28 09:40
VLAI
Title
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Summary
In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078 (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 6187a172d6ed57d6b2c327836e4407c6456e639d (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < c9dadb31f36045a8cb65df4bd75e7237ef21a4b5 (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < bf0f40d8107e2ce827521968dc6926f3e13728ae (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < abb5f36771cc4c05899b34000829a787572a8817 (git)
Create a notification for this product.
Linux Linux Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.90 , ≤ 6.12.* (semver)
Unaffected: 6.18.32 , ≤ 6.18.* (semver)
Unaffected: 7.0.9 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "6187a172d6ed57d6b2c327836e4407c6456e639d",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "bf0f40d8107e2ce827521968dc6926f3e13728ae",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "abb5f36771cc4c05899b34000829a787572a8817",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc4",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T09:40:47.518Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
        },
        {
          "url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
        }
      ],
      "title": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46227",
    "datePublished": "2026-05-28T09:40:47.518Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-05-28T09:40:47.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46227",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46227\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:38.317\",\"lastModified\":\"2026-05-28T13:44:01.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\\n\\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\\ndrop the socket lock inside sctp_wait_for_sndbuf().\\n\\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\\nassociation cached in @tmp, migrating it to a new endpoint via\\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\\nnewep-\u003easocs), and optionally close the new socket which frees the\\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\\nnetwork ABORT for that association, processed in softirq while the\\nlock is dropped.\\n\\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\\nvia the \\\"sk != asoc-\u003ebase.sk\\\" and \\\"asoc-\u003ebase.dead\\\" checks, but nothing\\nrevalidates @tmp.  After a successful return, the iterator advances to\\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\\n\\nBoth are reachable from CapEff=0; the type-confusion path gives\\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\\n\\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\\nonly callers that list_del an association from ep-\u003easocs are\\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\\nsctp_wait_for_sndbuf() checks both under the lock before any\\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\\nbails before the re-derive.\\n\\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\\nthe @tmp cached by list_for_each_entry_safe() still covers the\\nlock-held free that ba59fb027307 (\\\"sctp: walk the list of asoc\\nsafely\\\") was added for.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.