Bug 2492115 (CVE-2026-52917) - CVE-2026-52917 kernel: sctp: diag: reject stale associations in dump_one path
Summary: CVE-2026-52917 kernel: sctp: diag: reject stale associations in dump_one path
Keywords:
Status: NEW
Alias: CVE-2026-52917
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 08:02 UTC by OSIDB Bzimport
Modified: 2026-06-24 10:28 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 08:02:41 UTC 
In the Linux kernel, the following vulnerability has been resolved:

sctp: diag: reject stale associations in dump_one path

The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.

When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.

Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Comment 1 Mauro Matteo Cascella 2026-06-24 10:26:45 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062429-CVE-2026-52917-d3b0@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.