CVE-2026-23125 Overview
CVE-2026-23125 is a null pointer dereference vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. The flaw occurs in the SCTP transmit path when SCTP-AUTH key initialization fails during processing of an INIT_ACK packet. This vulnerability can lead to a kernel crash, resulting in denial of service conditions on affected systems.
The issue was identified through KASAN (Kernel Address Sanitizer) reporting a null pointer dereference in the sctp_packet_bundle_auth function within net/sctp/output.c. The vulnerability is triggered when sctp_auth_asoc_init_active_key() fails in sctp_sf_do_5_1C_ack(), leaving asoc->shkey as NULL while asoc->peer.auth_capable and asoc->peer.peer_chunks have already been configured.
Critical Impact
This vulnerability can cause kernel crashes on Linux systems using SCTP with authentication enabled, potentially leading to service disruptions and system unavailability.
Affected Products
- Linux kernel versions with SCTP support enabled
- Systems running kernels prior to the security patch commits
- Network services and applications utilizing SCTP-AUTH functionality
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23125 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23125
Vulnerability Analysis
The vulnerability exists in the ordering of SCTP command sequence processing during the SCTP association handshake. When an INIT_ACK packet is received and processed by sctp_sf_do_5_1C_ack(), the kernel executes a series of commands in a specific order. The problematic sequence was:
- SCTP_CMD_PEER_INIT - Sets asoc->peer.auth_capable and asoc->peer.peer_chunks
- SCTP_CMD_TIMER_STOP (T1_INIT)
- SCTP_CMD_TIMER_START (T1_COOKIE)
- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
- SCTP_CMD_ASSOC_SHKEY - Attempts to initialize the shared authentication key
- SCTP_CMD_GEN_COOKIE_ECHO
When SCTP_CMD_ASSOC_SHKEY fails, the asoc->shkey remains NULL. However, by this point, the T1_COOKIE timer has already been started and the peer's authentication capabilities have been set. This race condition allows a DATA chunk with auth = 1 and shkey = NULL to be queued by sctp_datamsg_from_user().
When the T1_COOKIE timer fires, it enqueues a COOKIE_ECHO into the outqueue. The DATA chunk can then be transmitted alongside the COOKIE_ECHO in sctp_outq_flush_data(), causing the null pointer dereference when attempting to access the authentication shared key.
Root Cause
The root cause is the improper ordering of the SCTP_CMD_ASSOC_SHKEY command in the SCTP state machine processing sequence. The shared key initialization was positioned after timer manipulation commands, creating a window where authenticated data transmission could be attempted without a valid shared key. The fix involves reordering SCTP_CMD_ASSOC_SHKEY to execute immediately after SCTP_CMD_PEER_INIT, before any timer operations.
Attack Vector
The vulnerability can be triggered through the following conditions:
- A system must have SCTP with authentication support enabled
- An SCTP association handshake must be in progress
- The shared key initialization process must fail (e.g., due to resource constraints or configuration issues)
- The T1_COOKIE timer must fire and attempt to flush data from the outqueue
The attack manifests in the kernel's softirq processing context (ksoftirqd/0), as indicated by the crash trace showing the processing path through sctp_rcv() → sctp_assoc_bh_rcv() → sctp_cmd_interpreter() → sctp_outq_flush() → sctp_packet_append_chunk() → sctp_packet_bundle_auth().
Detection Methods for CVE-2026-23125
Indicators of Compromise
- Kernel crash logs showing null pointer dereference in sctp_packet_bundle_auth or sctp_packet_append_chunk functions
- KASAN reports indicating null-ptr-deref in the address range 0x0000000000000018-0x000000000000001f
- System log entries showing ksoftirqd process crashes related to SCTP processing
- Unexpected kernel panics on systems with active SCTP connections using authentication
Detection Strategies
- Monitor kernel logs for SCTP-related null pointer dereference errors using dmesg or system logging infrastructure
- Deploy kernel tracing tools such as ftrace or eBPF probes to monitor SCTP state machine transitions and authentication key initialization failures
- Implement system monitoring to detect unexpected kernel crashes or soft lockups in SCTP processing paths
- Review audit logs for failed SCTP-AUTH key initialization events
Monitoring Recommendations
- Enable KASAN (Kernel Address Sanitizer) in development and testing environments to catch memory access violations early
- Configure SentinelOne agents to monitor for kernel crash events and SCTP module anomalies
- Implement alerting on repeated SCTP association failures or authentication setup errors
- Deploy network traffic analysis to identify malformed or suspicious SCTP packets that could trigger this condition
How to Mitigate CVE-2026-23125
Immediate Actions Required
- Apply the official kernel patches to affected Linux systems as soon as possible
- Review and test SCTP-dependent applications for compatibility with patched kernels
- Consider temporarily disabling SCTP-AUTH if not required for operations until patches can be applied
- Monitor systems for signs of exploitation or unexpected crashes during the patching window
Patch Information
Multiple patches have been committed to the Linux kernel stable branches to address this vulnerability. The fix reorders the SCTP_CMD_ASSOC_SHKEY command to execute immediately after SCTP_CMD_PEER_INIT, ensuring that if shared key generation fails, no authenticated DATA chunks can be sent. The corrected sequence also allows the T1_INIT timer to retransmit INIT, giving the client another opportunity to process INIT_ACK and retry key setup.
Available patch commits:
- Kernel Git Commit 0c4adb1
- Kernel Git Commit 5a309be
- Kernel Git Commit 784428a
- Kernel Git Commit a80c9d9
- Kernel Git Commit bf2b543
- Kernel Git Commit e7e81ab
- Kernel Git Commit e942947
Workarounds
- If patching is not immediately feasible, consider disabling SCTP authentication by modifying SCTP socket options where operationally acceptable
- Restrict network access to SCTP services to trusted sources only using firewall rules
- Deploy SentinelOne's kernel protection capabilities to detect and prevent exploitation attempts
- Monitor affected systems closely for crash events while awaiting patch deployment
# Check if SCTP module is loaded
lsmod | grep sctp
# Verify current kernel version
uname -r
# Check for available kernel updates (Debian/Ubuntu)
apt list --upgradable | grep linux
# Check for available kernel updates (RHEL/CentOS)
yum check-update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
