CVE-2026-53225 Overview
CVE-2026-53225 is an uninitialized memory use vulnerability in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. The flaw resides in __sctp_rcv_asconf_lookup() within net/sctp/input.c. The function fails to verify that an Address Configuration (ASCONF) chunk's address parameter fully lies within the chunk before invoking af->from_addr_param(). An unauthenticated remote peer can transmit a truncated ASCONF chunk that declares an IPv6 address parameter but terminates after the 4-byte parameter header. The receive path then reads up to 16 bytes of uninitialized kernel memory past the parameter boundary.
Critical Impact
An unauthenticated SCTP peer can trigger reads of up to 16 bytes of uninitialized kernel memory, enabling potential information disclosure from kernel memory regions.
Affected Products
- Linux kernel SCTP subsystem (net/sctp/input.c)
- Distributions shipping vulnerable kernel versions prior to the referenced stable commits
- Systems with SCTP enabled and reachable from untrusted networks
Discovery Timeline
- 2026-06-25 - CVE-2026-53225 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-53225
Vulnerability Analysis
The vulnerability is classified as Uninitialized Memory Use [CWE-908] in the Linux kernel SCTP receive path. The function __sctp_rcv_asconf_lookup() validates only that the ASCONF chunk holds the ADDIP header and a parameter header. It then trusts the parameter's declared length when calling the address-family-specific handler af->from_addr_param(). For IPv6, this handler copies 16 bytes from the parameter into a kernel union sctp_addr.
When a remote peer sends a truncated ASCONF chunk that declares an IPv6 address parameter but stops after the 4-byte parameter header, the handler reads 12 bytes beyond the legitimate chunk data. This memory contains residual kernel data. The condition is reachable via the no-association lookup path, meaning no prior SCTP association is required.
Root Cause
The sibling routine __sctp_rcv_init_lookup() enforces parameter bounds using sctp_walk_params(). The vulnerable path open-codes parameter fetching and omits this bounds check. This is the same class of defect addressed by upstream commit 51e5ad549c43 ("net: sctp: fix KMSAN uninit-value in sctp_inq_pop"), where parameter length was trusted without verifying the underlying buffer contained the declared bytes.
Attack Vector
An unauthenticated remote attacker crafts a malformed SCTP packet containing an ASCONF chunk. The chunk declares an IPv6 address parameter with the standard length field but truncates the actual address bytes. The attacker transmits the packet to any reachable SCTP listener. The kernel's no-association lookup path processes the chunk and triggers the out-of-bounds read of uninitialized memory. The vulnerability is described in prose only; no public proof-of-concept code is referenced in the advisory data.
Detection Methods for CVE-2026-53225
Indicators of Compromise
- Unsolicited SCTP packets containing ASCONF chunks from external sources, particularly to hosts not actively participating in SCTP associations
- Malformed ASCONF chunks where the declared IPv6 address parameter length exceeds the remaining chunk bytes
- Kernel warnings or KMSAN/KASAN reports referencing __sctp_rcv_asconf_lookup or sctp_v6_from_addr_param
Detection Strategies
- Deploy network intrusion detection signatures that parse SCTP chunk headers and flag ASCONF chunks where parameter length fields exceed the chunk boundary
- Monitor kernel logs for SCTP-related warnings, oops messages, or memory sanitizer output during SCTP traffic processing
- Audit kernel versions across the fleet against the stable commit hashes referenced in the kernel.org advisories
Monitoring Recommendations
- Track inbound SCTP traffic volume and source distribution to detect anomalous probing of SCTP listeners
- Correlate SCTP receive errors with packet captures to identify malformed ASCONF chunks
- Inventory hosts with CONFIG_IP_SCTP enabled to scope exposure and prioritize patching
How to Mitigate CVE-2026-53225
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org commits, including 446e0ecd845a, 8ce96f118264, and d6bd0bb7697e
- Update to a distribution kernel that incorporates the SCTP ASCONF bounds-check fix
- Restrict SCTP traffic at network perimeters where SCTP is not a required protocol
Patch Information
The fix verifies that the full address parameter lies within the chunk boundary before from_addr_param() reads it. Backports are available across multiple stable kernel branches. Refer to the Linux kernel stable tree commits for the complete set of fix commits across supported branches.
Workarounds
- Blocklist the SCTP kernel module on systems that do not require it using /etc/modprobe.d/ with install sctp /bin/true
- Configure host or network firewalls to drop inbound SCTP (IP protocol 132) from untrusted sources
- Restrict SCTP listening services to internal management interfaces only where the protocol is required
# Disable SCTP module loading where not required
echo "install sctp /bin/true" | sudo tee /etc/modprobe.d/disable-sctp.conf
# Block inbound SCTP at the host firewall (iptables)
sudo iptables -A INPUT -p 132 -j DROP
# Verify currently running kernel version against patched commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

