CVE-2026-52924: sctp: purge outqueue on stale COOKIE-ECHO handling
In the Linux kernel, the following vulnerability has been resolved:
sctp: purge outqueue on stale COOKIE-ECHO handling
sctp_stream_update() is only invoked when the association is moved into
COOKIE_WAIT during association setup/reconfiguration. In this path, the
outbound stream scheduler state (stream->out_curr) is expected to be
clean, since no user data should have been transmitted yet unless the
state machine has already partially progressed.
However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a
Stale Cookie ERROR is received, the association is rolled back from
COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already
have been queued and even bundled with the COOKIE-ECHO chunk.
During the rollback, sctp_stream_update() frees the old stream table
and installs a new one, but it does not invalidate stream->out_curr.
As a result, out_curr may still point to a freed sctp_stream_out
entry from the previous stream state.
Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on
stream->out_curr->ext, which can lead to use-after-free once the old
stream state has been released via sctp_stream_free().
This results in crashes such as (reported by Yuqi):
BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140
Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312
CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted
7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)
sctp_sched_fcfs_dequeue+0x13a/0x140
sctp_outq_flush+0x1603/0x33e0
sctp_do_sm+0x31c9/0x5d30
sctp_assoc_bh_rcv+0x392/0x6f0
sctp_inq_push+0x1db/0x270
sctp_rcv+0x138d/0x3c10
Fix this by fully purging the association outqueue when handling the
Stale Cookie case. This ensures all pending transmit and retransmit
state is dropped, and any scheduler cached pointers are invalidated,
making it safe to rebuild stream state during COOKIE_WAIT restart.
Updating only stream->out_curr would be insufficient, since queued
and retransmittable data would still reference the old stream state and
trigger later use-after-free in dequeue paths.
Security readout for executives and security teams
Plain-English summary
CVE-2026-52924 is a Linux kernel SCTP flaw that can leave internal network-session pointers aimed at freed memory. A remote, unauthenticated network path is reflected in the CVSS 9.8 score. The source bundle shows a kernel crash condition and stable fixes, but does not show active exploitation.
Executive priority
Treat this as urgent for Linux environments with SCTP exposure, especially internet-facing or telecom-style workloads. If SCTP is not used, confirm that fact and still schedule normal kernel remediation through vendor channels.
Technical view
During stale COOKIE-ECHO handling, SCTP rolls an association from COOKIE_ECHOED to COOKIE_WAIT. Queued user data can retain scheduler state tied to freed stream entries. Later dequeue paths may dereference stale stream->out_curr data, causing a use-after-free. The kernel fix purges the association outqueue before rebuilding stream state.
Likely exposure
Exposure is most relevant to Linux systems running affected kernels where SCTP is enabled and reachable. Systems without SCTP use or network exposure are less likely to be practically exposed, but kernel inventory and vendor status should drive decisions.
Exploitation context
The bundle marks KEV as false and provides no cited evidence of active exploitation. It includes a KASAN slab-use-after-free crash report from SCTP processing, indicating reproducibility of a crash condition, not confirmed real-world abuse.
Researcher notes
The key condition is stale COOKIE-ECHO rollback with queued or bundled user data. The fix purges pending transmit and retransmit state because updating only stream->out_curr would leave old stream-state references in queues.
Mitigation direction
Apply the relevant Linux stable or vendor kernel update containing the SCTP outqueue purge fix.
Track Red Hat and distribution advisories for package status and supported remediation.
Restrict SCTP reachability to trusted peers where operationally feasible.
Prioritize externally reachable or SCTP-dependent systems first.
Reboot or live-patch only according to vendor-supported procedures.
Validation and detection
Inventory Linux kernel versions against vendor advisories and the listed stable fix references.
Confirm whether SCTP is enabled, loaded, or required on exposed systems.
Review network controls for inbound SCTP exposure from untrusted networks.
Verify updated kernels include the referenced SCTP stale COOKIE-ECHO fix.
Monitor kernel logs for SCTP-related crashes until remediation is complete.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-825: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
1ADP providers
12Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-825 · source CWE mapping
Expired Pointer Dereference
Expired Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.