Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-23125— sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT

EPSS 0.02% · P4
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-23125

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 Call Trace: sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 The issue is triggered when sctp_auth_asoc_init_active_key() fails in sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the command sequence is currently: - SCTP_CMD_PEER_INIT - SCTP_CMD_TIMER_STOP (T1_INIT) - SCTP_CMD_TIMER_START (T1_COOKIE) - SCTP_CMD_NEW_STATE (COOKIE_ECHOED) - SCTP_CMD_ASSOC_SHKEY - SCTP_CMD_GEN_COOKIE_ECHO If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL to be queued by sctp_datamsg_from_user(). Since command interpretation stops on failure, no COOKIE_ECHO should been sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As a result, the DATA chunk can be transmitted together with the COOKIE_ECHO in sctp_outq_flush_data(), leading to the observed issue. Similar to the other places where it calls sctp_auth_asoc_init_active_key() right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting T1_COOKIE. This ensures that if shared key generation fails, authenticated DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, giving the client another chance to process INIT_ACK and retry key setup.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于sctp中SCTP_CMD_ASSOC_SHKEY命令顺序不当,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 ~ 5a309bedf02ee08b0653215f06c94d61ec7a214a -
LinuxLinux 2.6.24 -

II. Public POCs for CVE-2026-23125

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-23125

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-02-14 · 108 CVEs total

CVE-2026-231938.8 HIGHscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
CVE-2026-231728.4 HIGHnet: wwan: t7xx: fix potential skb->frags overflow in RX path
CVE-2026-232097.8 HIGHmacvlan: fix error recovery in macvlan_common_newlink()
CVE-2026-231787.8 HIGHHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
CVE-2026-231847.8 HIGHbinder: fix UAF in binder_netlink_report()
CVE-2026-231857.8 HIGHwifi: iwlwifi: mld: cancel mlo_scan_start_wk
CVE-2026-231717.8 HIGHbonding: fix use-after-free due to enslave fail after slave array update
CVE-2026-231697.8 HIGHmptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
CVE-2026-231917.8 HIGHALSA: aloop: Fix racy access at PCM trigger
CVE-2026-231927.8 HIGHlinkwatch: use __dev_put() in callers to prevent UAF
CVE-2026-231987.8 HIGHKVM: Don't clobber irqfd routing type when deassigning irqfd
CVE-2026-231487.5 HIGHnvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
CVE-2026-231367.5 HIGHlibceph: reset sparse-read state in osd_fault()
CVE-2026-231397.5 HIGHnetfilter: nf_conncount: update last_gc only when GC has been performed
CVE-2026-231617.3 HIGHmm/shmem, swap: fix race of truncate and swap entry split
CVE-2026-232047.1 HIGHnet/sched: cls_u32: use skb_header_pointer_careful()
CVE-2026-231957.0 HIGHcgroup/dmem: avoid pool UAF
CVE-2026-231807.0 HIGHdpaa2-switch: add bounds check for if_id in IRQ handler
CVE-2026-231757.0 HIGHnet: cpsw: Execute ndo_set_rx_mode callback in a work queue
CVE-2026-23141btrfs: send: check for inline extents in range_is_hole_in_parent()

Showing top 20 of 108 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-23125

No comments yet

Leave a comment