HIGH 7.8

CVE-2026-46227: Linux SCTP Race Condition Use-After-Free Privilege Escalation

A race condition exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation that can lead to use-after-free or type-confusion memory safety violations. The vulnerability occurs when the kernel broadcasts messages to multiple SCTP associations while temporarily releasing the socket lock. During this window, another thread can migrate or free an association that the broadcast operation cached as the next item to process. This can result in the kernel operating on freed memory or misinterpreting data structures, potentially allowing local attackers to gain control over kernel execution flow.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-367, CWE-416
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-07-02

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.

19 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The SCTP_SENDALL code path in sctp_sendmsg() uses list_for_each_entry_safe() to iterate associations on an endpoint. This macro caches the next entry (@tmp) before entering the loop body. The loop calls sctp_sendmsg_to_asoc(), which may drop the socket lock via sctp_wait_for_sndbuf(). While unlocked, concurrent operations can: (1) SCTP_SOCKOPT_PEELOFF an association, migrating it to a new endpoint through sctp_sock_migrate() (list_del_init() followed by list_add_tail()), then close the new socket triggering kfree_rcu() on the association; or (2) network ABORT messages processed in softirq can free the association. The sctp_wait_for_sndbuf() revalidates the current entry (@asoc) via sk and dead checks but does not revalidate the cached @tmp. After return, the iterator resumes from @tmp—now a stale pointer—causing either use-after-free or type confusion where @newep->asocs is misinterpreted as a struct sctp_association, enabling controlled indirect calls through outqueue.sched->init_sid. The fix re-derives @tmp from @asoc post-operation to ensure validity.

Business impact

This vulnerability affects any Linux-based system handling SCTP traffic and permits local privilege escalation. An attacker with local access but no special capabilities (CapEff=0) can trigger memory corruption and execute arbitrary kernel code, compromising system confidentiality, integrity, and availability. This is particularly significant for containerized environments, shared hosting, and systems running SCTP-dependent applications (certain telecom, RTC, and clustering software). Exploitation does not require network access or elevated privileges, making it broadly exploitable by any local user.

Affected systems

All Linux kernel versions containing the SCTP subsystem are affected. This includes mainstream distributions (Ubuntu, Red Hat, Debian, SUSE) and embedded systems using the mainline or stable kernel branches. Systems must have SCTP enabled in the kernel configuration; check via 'cat /proc/net/sctp/snmp' or 'lsmod | grep sctp'. Specific patched versions vary by distribution; consult vendor advisories for your kernel series.

Exploitability

Exploitability is rated HIGH. The vulnerability is locally exploitable without elevated privileges (CapEff=0) and requires only multi-threaded execution capabilities and knowledge of SCTP message handling. No exploit is currently known to be widely available, but the attack vector is straightforward: trigger SCTP_SENDALL via one thread while concurrently performing SCTP_SOCKOPT_PEELOFF or awaiting network ABORT on another. The type-confusion path yielding an indirect function pointer call (outqueue.sched->init_sid) further reduces exploitation complexity once the race is reliable.

Remediation

Apply the Linux kernel patch that re-derives @tmp from @asoc after sctp_sendmsg_to_asoc() returns, ensuring the cached iterator is revalidated post-unlock. This fix is relatively lightweight and does not alter the SCTP API. All affected Linux distributions must backport this change to their stable kernel series. Users unable to patch immediately should disable SCTP in the kernel config if not required, or restrict local access to untrusted users.

Patch guidance

Patch availability varies by Linux distribution. Check your vendor's security advisory page (Red Hat, Ubuntu, SUSE, Debian) for CVE-2026-46227 to obtain the specific kernel version and errata ID. The upstream fix focuses on re-validation of the list iterator; verify the patch against the vendor advisory to confirm it includes the @tmp re-derive logic. Apply patches during a maintenance window; kernel updates typically require a reboot to take effect. For enterprises, coordinate with change management and validate in a test environment before production deployment.

Detection guidance

Kernel panic logs, ASAN/KASAN reports, or system core dumps may reveal use-after-free or type-confusion signatures near sctp_sendmsg() or the SCTP outqueue sched operations. Monitor for: (1) 'general protection faults' or 'BUG: unable to handle page fault' in SCTP code, (2) kmemleak or automated sanitizer reports in SCTP association objects, (3) unexplained kernel crashes or reboots correlated with multi-threaded SCTP client activity. Userspace monitoring of SCTP socket options (via netlink auditing or seccomp tracing) may detect abnormal SCTP_SOCKOPT_PEELOFF or SCTP_SENDALL usage patterns. At scale, correlate kernel logs across systems for timing anomalies coinciding with local process activity.

Why prioritize this

Assign this HIGH priority. The CVSS 3.1 score of 7.8 reflects local privilege escalation leading to complete system compromise (C:H I:H A:H). Although not yet in the KEV catalog, the attack vector is low complexity and requires only standard user privileges, meaning it affects most deployments. SCTP, while less common than TCP/UDP, is critical in telecom and real-time communication stacks; systems relying on SCTP must patch urgently. The multi-threaded race condition is readily triggered in modern containerized and multi-user environments.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector LOCAL (LAN only, no network attack), Attack Complexity LOW (race condition is triggerable without special conditions), Privileges Required LOW (user-level CapEff=0 sufficient), User Interaction NONE, Scope UNCHANGED (no privilege domain crossing required for impact scope), and full impact on Confidentiality, Integrity, and Availability. The score appropriately penalizes the local-only vector but credits the lack of complexity, low privilege bar, and complete compromise potential. Not yet flagged for active exploitation (KEV=false), but the exploit path is relatively accessible to threat actors with local access.

Frequently asked questions

Does this vulnerability require SCTP to be actively in use on my system?

Yes and no. The kernel code path is present in any kernel with SCTP compiled in. Active exploitation requires a process to invoke SCTP_SENDALL and SCTP_SOCKOPT_PEELOFF operations, typically in a multi-threaded or multi-process scenario. If SCTP is compiled but unused, the attack surface is reduced but not eliminated; an attacker with local access could deliberately trigger SCTP operations. Verify whether SCTP is loaded via 'lsmod | grep sctp' and whether your applications use it.

Can this be exploited remotely or across network boundaries?

No. This is a local privilege escalation vulnerability. The attacker must have shell access or be able to execute code on the target system. Network ABORT messages are part of the race condition but are secondary to the primary attack vector: local multi-threaded code triggering SCTP socket operations while holding or releasing locks.

What should I do if I cannot patch immediately?

If SCTP is not required by your applications or services, disable it in the kernel config and recompile, or blacklist the sctp module. If SCTP is essential, restrict local access via SELinux, AppArmor, or sudo policies to limit untrusted user interaction with the system. Increase monitoring for anomalous kernel crashes or process behavior. Prioritize patching SCTP-dependent systems in your update cycle and test patches in a staging environment first.

How does this differ from other Linux kernel memory safety issues?

The distinguishing factor is the race condition on a cached list iterator. Many memory safety bugs are triggered by a single code path; this vulnerability requires precise timing between two threads and relies on kernel synchronization properties (the socket lock). This makes it less trivial to stumble upon accidentally but highly reliable to trigger once understood, and the type-confusion aspect (misinterpreting a list head as a structure) enables controlled indirect calls for advanced exploitation.

This analysis is based on publicly available vulnerability data and Linux upstream documentation as of the publication date. CVSS and KEV status reflect data at time of analysis; these may be updated by NIST or other authoritative sources. Patch versions, availability timelines, and specific affected kernel versions vary by Linux distribution; consult your vendor's security advisory for authoritative patch information. SEC.co does not endorse or provide exploit code. Proof-of-concept information is provided for defensive and research purposes only. Organizations should validate all patches in a test environment before production deployment. This vulnerability requires local access to exploit; implement access controls and privilege restrictions to reduce risk. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).