LiveActive security incident?Get immediate response
CVE Record

CVE-2026-52924: sctp: purge outqueue on stale COOKIE-ECHO handling

In the Linux kernel, the following vulnerability has been resolved: sctp: purge outqueue on stale COOKIE-ECHO handling sctp_stream_update() is only invoked when the association is moved into COOKIE_WAIT during association setup/reconfiguration. In this path, the outbound stream scheduler state (stream->out_curr) is expected to be clean, since no user data should have been transmitted yet unless the state machine has already partially progressed. However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a Stale Cookie ERROR is received, the association is rolled back from COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already have been queued and even bundled with the COOKIE-ECHO chunk. During the rollback, sctp_stream_update() frees the old stream table and installs a new one, but it does not invalidate stream->out_curr. As a result, out_curr may still point to a freed sctp_stream_out entry from the previous stream state. Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on stream->out_curr->ext, which can lead to use-after-free once the old stream state has been released via sctp_stream_free(). This results in crashes such as (reported by Yuqi): BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140 Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312 CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full) sctp_sched_fcfs_dequeue+0x13a/0x140 sctp_outq_flush+0x1603/0x33e0 sctp_do_sm+0x31c9/0x5d30 sctp_assoc_bh_rcv+0x392/0x6f0 sctp_inq_push+0x1db/0x270 sctp_rcv+0x138d/0x3c10 Fix this by fully purging the association outqueue when handling the Stale Cookie case. This ensures all pending transmit and retransmit state is dropped, and any scheduler cached pointers are invalidated, making it safe to rebuild stream state during COOKIE_WAIT restart. Updating only stream->out_curr would be insufficient, since queued and retransmittable data would still reference the old stream state and trigger later use-after-free in dequeue paths.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2026-52924 is a Linux kernel SCTP flaw that can leave internal network-session pointers aimed at freed memory. A remote, unauthenticated network path is reflected in the CVSS 9.8 score. The source bundle shows a kernel crash condition and stable fixes, but does not show active exploitation.

Executive priority

Treat this as urgent for Linux environments with SCTP exposure, especially internet-facing or telecom-style workloads. If SCTP is not used, confirm that fact and still schedule normal kernel remediation through vendor channels.

Technical view

During stale COOKIE-ECHO handling, SCTP rolls an association from COOKIE_ECHOED to COOKIE_WAIT. Queued user data can retain scheduler state tied to freed stream entries. Later dequeue paths may dereference stale stream->out_curr data, causing a use-after-free. The kernel fix purges the association outqueue before rebuilding stream state.

Likely exposure

Exposure is most relevant to Linux systems running affected kernels where SCTP is enabled and reachable. Systems without SCTP use or network exposure are less likely to be practically exposed, but kernel inventory and vendor status should drive decisions.

Exploitation context

The bundle marks KEV as false and provides no cited evidence of active exploitation. It includes a KASAN slab-use-after-free crash report from SCTP processing, indicating reproducibility of a crash condition, not confirmed real-world abuse.

Researcher notes

The key condition is stale COOKIE-ECHO rollback with queued or bundled user data. The fix purges pending transmit and retransmit state because updating only stream->out_curr would leave old stream-state references in queues.

Mitigation direction

  • Apply the relevant Linux stable or vendor kernel update containing the SCTP outqueue purge fix.
  • Track Red Hat and distribution advisories for package status and supported remediation.
  • Restrict SCTP reachability to trusted peers where operationally feasible.
  • Prioritize externally reachable or SCTP-dependent systems first.
  • Reboot or live-patch only according to vendor-supported procedures.

Validation and detection

  • Inventory Linux kernel versions against vendor advisories and the listed stable fix references.
  • Confirm whether SCTP is enabled, loaded, or required on exposed systems.
  • Review network controls for inbound SCTP exposure from untrusted networks.
  • Verify updated kernels include the referenced SCTP stale COOKIE-ECHO fix.
  • Monitor kernel logs for SCTP-related crashes until remediation is complete.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-825: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-52924 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
1ADP providers
12Source links

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Linux
7CVSS 3.1HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H2.24.7redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2026-52924Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

redhat-SADPkernel: sctp: purge outqueue on stale COOKIE-ECHO handling
other:Red Hat severity ratingcvssV3_1
  • 2026-06-24T00:00:00.000Z: Reported to Red Hat.
  • 2026-06-24T00:00:00.000Z: Made public.
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51, 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51unaffected
LinuxLinux4.15, 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-825 · source CWE mapping

Expired Pointer Dereference

Expired Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.