CVE-2026-52924

Source
https://cve.org/CVERecord?id=CVE-2026-52924
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52924.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52924
Downstream
Related
Published
2026-06-24T07:14:18.646Z
Modified
2026-07-12T03:55:23.182487621Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
sctp: purge outqueue on stale COOKIE-ECHO handling
Details

In the Linux kernel, the following vulnerability has been resolved:

sctp: purge outqueue on stale COOKIE-ECHO handling

sctpstreamupdate() is only invoked when the association is moved into COOKIEWAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->outcurr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed.

However, a corner case exists in sctpsfdo526stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIEECHOED to COOKIEWAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk.

During the rollback, sctpstreamupdate() frees the old stream table and installs a new one, but it does not invalidate stream->outcurr. As a result, outcurr may still point to a freed sctpstreamout entry from the previous stream state.

Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->outcurr->ext, which can lead to use-after-free once the old stream state has been released via sctpstream_free().

This results in crashes such as (reported by Yuqi):

BUG: KASAN: slab-use-after-free in sctpschedfcfsdequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task minipoc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: minipoc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctpschedfcfsdequeue+0x13a/0x140 sctpoutqflush+0x1603/0x33e0 sctpdosm+0x31c9/0x5d30 sctpassocbhrcv+0x392/0x6f0 sctpinqpush+0x1db/0x270 sctprcv+0x138d/0x3c10

Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart.

Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52924.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5bbbbe32a43199c2b9ea5ea66fab6241c64beb51
Fixed
84b7a319105db2f917ccdcf502bdc866082b1285
Fixed
f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8
Fixed
3c0741a441a7df7099d7ca6a64a6a0de09c677c8
Fixed
2afc9e684dc7fecf73db1edc937ebbc47b4b68dc
Fixed
1d4652f677906a64487c13f9ace54b0eb263b5d0
Fixed
a6207349e703cfc04756a4d16dec9176135813a5
Fixed
83ade59e5da365f4bf8bce72c5a38774202b442f
Fixed
e374b22e9b07b72a25909621464ff74096151bfb

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52924.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52924.json"