PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46227 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. The SCTP_SENDALL path in sctp_sendmsg() uses list_for_each_entry_safe() to iterate over endpoint associations, caching the next entry before the loop body executes. When sctp_sendmsg_to_asoc() drops the socket lock via sctp_wait_for_sndbuf(), a concurrent thread can peel off the cached association using SCTP_SOCKOPT_PEELOFF, migrating it to a new endpoint and potentially freeing it. The sctp_wait_for_sndbuf() function revalidates the current association but not the cached next pointer. After successful return, the iterator advances to the stale cached entry, resulting in use-after-free if the peeled socket was closed, or type confusion where the new endpoint's list head is misinterpreted as a struct sctp_association. The type confusion path enables controlled indirect calls. The vulnerability is reachable without elevated capabilities. The fix re-derives the cached next pointer from the current association after sctp_sendmsg_to_asoc() returns, ensuring the iterator remains valid.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux system administrators, kernel security teams, network infrastructure operators using SCTP, distribution maintainers

Technical summary

The vulnerability stems from insufficient revalidation of list iteration state in the SCTP_SENDALL code path. The list_for_each_entry_safe() macro caches the next list entry in a temporary variable before loop body execution. When the loop body drops the socket lock, concurrent operations can modify the list structure: SCTP_SOCKOPT_PEELOFF migrates associations between endpoints via sctp_sock_migrate(), and network ABORT processing can free associations. While sctp_wait_for_sndbuf() validates the current association pointer upon lock reacquisition, the cached next pointer remains potentially stale. Post-return iterator advancement can then dereference freed memory or misinterpret a list head structure as an association object. The type confusion enables indirect call hijacking through the outqueue.sched->init_sid pointer. The fix ensures the next pointer is re-derived from the validated current association after each iteration.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates from stable tree commits when available from distribution maintainers
  • Monitor vendor security advisories for backported fixes to supported kernel versions
  • Review systems utilizing SCTP protocol for exposure assessment
  • Consider network-level controls to restrict untrusted SCTP traffic until patching is complete

Evidence notes

Vulnerability description sourced from official CVE record published 2026-05-28. Kernel.org stable tree commits provided as references. No CVSS score or severity assigned by NVD at time of disclosure.

Official resources

2026-05-28