2492108 – (CVE-2026-52929) CVE-2026-52929 kernel: sctp: stream: fully roll back denied add-stream state

Bug 2492108 (CVE-2026-52929) - CVE-2026-52929 kernel: sctp: stream: fully roll back denied add-stream state

Summary: CVE-2026-52929 kernel: sctp: stream: fully roll back denied add-stream state

Keywords:
Status:	NEW
Alias:	CVE-2026-52929
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-24 08:02 UTC by OSIDB Bzimport
Modified:	2026-06-24 14:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-24 08:02:20 UTC

In the Linux kernel, the following vulnerability has been resolved:

sctp: stream: fully roll back denied add-stream state

When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
then lowers outcnt. That leaves removed stream metadata behind, so a
later re-add can reuse a stale ext and hit a null-pointer dereference in
the scheduler get path.

Fix the rollback by tearing down the removed stream state the same way
other stream resizes do. Unschedule the current scheduler state, drop
the removed stream ext state with sctp_stream_outq_migrate(), and then
reschedule the remaining streams.

This keeps scheduler-private RR/FC/PRIO lists consistent while fully
rolling back denied outgoing stream additions.

Comment 1 Keith Grant 2026-06-24 14:57:34 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062432-CVE-2026-52929-63ee@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.