Bug 2482564 (CVE-2026-46227) - CVE-2026-46227 kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Summary: CVE-2026-46227 kernel: sctp: revalidate list cursor after sctp_sendmsg_to_aso...
Keywords:
Status: NEW
Alias: CVE-2026-46227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 11:03 UTC by OSIDB Bzimport
Modified: 2026-07-09 01:48 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:26462 0 None None None 2026-06-17 01:14:05 UTC
Red Hat Product Errata RHSA-2026:26515 0 None None None 2026-06-17 06:33:41 UTC
Red Hat Product Errata RHSA-2026:26535 0 None None None 2026-06-17 09:18:51 UTC
Red Hat Product Errata RHSA-2026:26563 0 None None None 2026-06-17 11:58:42 UTC
Red Hat Product Errata RHSA-2026:27731 0 None None None 2026-06-22 05:04:22 UTC
Red Hat Product Errata RHSA-2026:27735 0 None None None 2026-06-22 06:02:13 UTC
Red Hat Product Errata RHSA-2026:33899 0 None None None 2026-07-01 00:15:57 UTC
Red Hat Product Errata RHSA-2026:34094 0 None None None 2026-07-01 08:59:12 UTC
Red Hat Product Errata RHSA-2026:36018 0 None None None 2026-07-06 19:57:16 UTC
Red Hat Product Errata RHSA-2026:36348 0 None None None 2026-07-07 19:25:45 UTC
Red Hat Product Errata RHSA-2026:36349 0 None None None 2026-07-07 19:40:34 UTC
Red Hat Product Errata RHSA-2026:36956 0 None None None 2026-07-09 01:48:34 UTC

Description OSIDB Bzimport 2026-05-28 11:03:30 UTC
In the Linux kernel, the following vulnerability has been resolved:

sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().

While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu().  The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.

sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp.  After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).

Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns.  @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.

The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb027307 ("sctp: walk the list of asoc
safely") was added for.

Comment 3 errata-xmlrpc 2026-06-17 01:14:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:26462 https://access.redhat.com/errata/RHSA-2026:26462

Comment 4 errata-xmlrpc 2026-06-17 06:33:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:26515 https://access.redhat.com/errata/RHSA-2026:26515

Comment 5 errata-xmlrpc 2026-06-17 09:18:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:26535 https://access.redhat.com/errata/RHSA-2026:26535

Comment 6 errata-xmlrpc 2026-06-17 11:58:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:26563 https://access.redhat.com/errata/RHSA-2026:26563

Comment 7 errata-xmlrpc 2026-06-22 05:04:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:27731 https://access.redhat.com/errata/RHSA-2026:27731

Comment 8 errata-xmlrpc 2026-06-22 06:02:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:27735 https://access.redhat.com/errata/RHSA-2026:27735

Comment 9 errata-xmlrpc 2026-07-01 00:15:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

Via RHSA-2026:33899 https://access.redhat.com/errata/RHSA-2026:33899

Comment 10 errata-xmlrpc 2026-07-01 08:59:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:34094 https://access.redhat.com/errata/RHSA-2026:34094

Comment 11 errata-xmlrpc 2026-07-06 19:57:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:36018 https://access.redhat.com/errata/RHSA-2026:36018

Comment 12 errata-xmlrpc 2026-07-07 19:25:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:36348 https://access.redhat.com/errata/RHSA-2026:36348

Comment 13 errata-xmlrpc 2026-07-07 19:40:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:36349 https://access.redhat.com/errata/RHSA-2026:36349

Comment 14 errata-xmlrpc 2026-07-09 01:48:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:36956 https://access.redhat.com/errata/RHSA-2026:36956


Note You need to log in before you can comment on or make changes to this bug.