CVE-2026-53004

Source
https://cve.org/CVERecord?id=CVE-2026-53004
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53004.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53004
Downstream
Published
2026-06-24T16:29:16.151Z
Modified
2026-07-08T08:13:45.206725953Z
Summary
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
Details

In the Linux kernel, the following vulnerability has been resolved:

sctp: fix OOB write to userspace in sctpgetsockoptpeerauthchunks

sctpgetsockoptpeerauthchunks() checks that the caller's optval buffer is large enough for the peer AUTH chunk list with

if (len < num_chunks)
        return -EINVAL;

but then writes numchunks bytes to p->gauthchunks, which lives at offset offsetof(struct sctpauthchunks, gauthchunks) == 8 inside optval. The check is missing the sizeof(struct sctpauthchunks) = 8-byte header. When the caller supplies len == numchunks (for any numchunks > 0) the test passes but copytouser() writes sizeof(struct sctpauthchunks) = 8 bytes past the declared buffer.

The sibling function sctpgetsockoptlocalauthchunks() at the next line already has the correct check:

if (len < sizeof(struct sctp_authchunks) + num_chunks)
        return -EINVAL;

Align the peer variant with its sibling.

Reproducer confirms on v7.0-13-generic: an unprivileged userspace caller that opens a loopback SCTP association with AUTH enabled, queries numchunks with a short optval, then issues the real getsockopt with len == numchunks and sentinel bytes painted past the buffer observes those sentinel bytes overwritten with the peer's AUTH chunk type. The bytes written are under the peer's control but land in the caller's own userspace; this is not a kernel memory corruption, but it is a kernel-side contract violation that can silently corrupt adjacent userspace data.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53004.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
65b07e5d0d09c77e98050b5f0146ead29e5add32
Fixed
a132e199de69e2a45628aa8534df1bf5d44e1b6e
Fixed
2b5a2c957c7769d40110f725cf23987fcef50d75
Fixed
d45c7e99caf915b0f6c716bd8ffe9d45b9685761
Fixed
d67fbc6dea5dbf7f46c618ebf65910a276078e20
Fixed
6849b995cda88a677bf08a05765d1db7905974fc
Fixed
70a089cc9590aa347a61e84434116ab74619e3c3
Fixed
6bcf8fe4ef7967b22b814cbae9a57bbd3c853410
Fixed
0cf004ffb61cd32d140531c3a84afe975f9fc7ea

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53004.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.24
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53004.json"