CVE-2026-53246 is a vulnerability in Linux Kernel
Published on June 25, 2026
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
In the Linux kernel, the following vulnerability has been resolved:
sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
When a listening SCTP server processes a COOKIE_ECHO chunk, the cached
peer INIT chunk embedded after the cookie is parsed and its parameters
are later walked by sctp_process_init() using sctp_walk_params().
However, the chunk header length of this cached INIT chunk was not
validated against the remaining buffer in the COOKIE_ECHO payload. If
the length field is inflated, the parameter walk can run beyond the
actual received data, leading to out-of-bounds reads and potential
memory corruption during later parameter handling (e.g. STATE_COOKIE
processing and kmemdup() copies).
Add a bounds check in sctp_unpack_cookie() to ensure the cached INIT
chunk length does not exceed the available data in the COOKIE_ECHO
buffer before it is used.
Products Associated with CVE-2026-53246
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below cc272185c9a9a4b7febc2de52eeaa3d00f19091e is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below edccbf3d63b0a3362bc916ea72edacc1e1ca456a is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 0861615c28de668669d748ef4eb913ea9262d13b is affected.
- Version 2.6.12 is affected.
- Before 2.6.12 is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.