In the Linux kernel, the following vulnerability has been resolved:
sctp: validate embedded INIT chunk and address list lengths in cookie
sctpunpackcookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header.
A malformed COOKIEECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctpinitchunk). Later, sctpprocess_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads.
In addition, rawaddrlistlen is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized rawaddrlistlen and cause sctprawtobindaddrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.
Fix this by:
Note that sctpverifyinit() must be called after sctpunpackcookie() and before sctpprocessinit() when cookie authentication is disabled. This will be addressed in a separate patch.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53224.json",
"cna_assigner": "Linux"
}