Linux Kernel SCTP SENDALL Use-After-Free via PEEL Migration
CVE-2026-46227 Published on May 28, 2026
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
In the Linux kernel, the following vulnerability has been resolved:
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().
While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu(). The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.
sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp. After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).
Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.
Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns. @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.
The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.
Vulnerability Analysis
CVE-2026-46227 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a TOCTTOU Vulnerability?
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.
CVE-2026-46227 has been classified to as a TOCTTOU vulnerability or weakness.
Products Associated with CVE-2026-46227
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-46227 are published in these products:
Affected Versions
Linux:- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below f3a3f0b406b4b7eb3cea35a23fa2bf170848b104 is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below 0dbc8cde64280fc37cdd678cced34eaf96cfb197 is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below 0c7b55974f97b78d1109025eadf084e74cbf330f is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below 1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078 is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below 6187a172d6ed57d6b2c327836e4407c6456e639d is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below c9dadb31f36045a8cb65df4bd75e7237ef21a4b5 is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below bf0f40d8107e2ce827521968dc6926f3e13728ae is affected.
- Version 4910280503f3af2857d5aa77e35b22d93a8960a8 and below abb5f36771cc4c05899b34000829a787572a8817 is affected.
- Version 4.17 is affected.
- Before 4.17 is unaffected.
- Version 5.10.258, <= 5.10.* is unaffected.
- Version 5.15.209, <= 5.15.* is unaffected.
- Version 6.1.175, <= 6.1.* is unaffected.
- Version 6.6.140, <= 6.6.* is unaffected.
- Version 6.12.90, <= 6.12.* is unaffected.
- Version 6.18.32, <= 6.18.* is unaffected.
- Version 7.0.9, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.
- Version 0:6.12.0-211.32.1.el10_2 and below * is unaffected.
- Version 0:6.12.0-55.82.1.el10_0 and below * is unaffected.
- Version 0:4.18.0-553.140.1.rt7.481.el8_10 and below * is unaffected.
- Version 0:4.18.0-553.140.1.el8_10 and below * is unaffected.
- Version 0:4.18.0-305.194.1.el8_4 and below * is unaffected.
- Version 0:4.18.0-305.194.1.el8_4 and below * is unaffected.
- Version 0:4.18.0-372.198.1.el8_6 and below * is unaffected.
- Version 0:4.18.0-372.198.1.el8_6 and below * is unaffected.
- Version 0:4.18.0-477.147.1.el8_8 and below * is unaffected.
- Version 0:4.18.0-477.147.1.el8_8 and below * is unaffected.
- Version 0:5.14.0-687.22.1.el9_8 and below * is unaffected.
- Version 0:5.14.0-284.176.1.el9_2 and below * is unaffected.
- Version 0:5.14.0-284.176.1.rt14.461.el9_2 and below * is unaffected.
- Version 0:5.14.0-427.132.1.el9_4 and below * is unaffected.
- Version 0:5.14.0-570.125.1.el9_6 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.