CVE-2026-15422 (GCVE-0-2026-15422)
Vulnerability from cvelistv5 – Published: 2026-07-16 19:29 – Updated: 2026-07-16 19:29
VLAI
EPSS
VEX
Title
SCTP needs to better-check INIT ACK chunk parameters
Summary
The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://illumos.topicbox.com/groups/developer/Ta1… | mailing-list |
| https://illumos.org/issues/18117 | issue-tracking |
| https://github.com/illumos/illumos-gate/commit/53… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| illumos | illumos-gate |
Affected:
a5407c02d5ed61b29481b9b71f1307d7ebec9e5c , < 53a3efdeff8e6745bbfb69c5360f94962fb79e75
(git)
|
|
| OmniOS | OmniOS |
Affected:
r151058 , < r151058j
(custom)
Affected: r151056 , < r151056aj (custom) Affected: r151054 , < r151054bj (custom) Affected: any , < r151054 (custom) |
|
| Triton Data Center | SmartOS |
Affected:
any , < 202060709
(custom)
|
Date Public
2026-07-08 18:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"kernel",
"SCTP"
],
"product": "illumos-gate",
"programFiles": [
"usr/src/uts/common/inet/sctp/sctp_hash.c"
],
"repo": "https://github.com/illumos/illumos-gate",
"vendor": "illumos",
"versions": [
{
"changes": [
{
"at": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
"status": "unaffected"
}
],
"lessThan": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
"status": "affected",
"version": "a5407c02d5ed61b29481b9b71f1307d7ebec9e5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "OmniOS",
"vendor": "OmniOS",
"versions": [
{
"changes": [
{
"at": "r151058j",
"status": "unaffected"
}
],
"lessThan": "r151058j",
"status": "affected",
"version": "r151058",
"versionType": "custom"
},
{
"changes": [
{
"at": "r151056aj",
"status": "unaffected"
}
],
"lessThan": "r151056aj",
"status": "affected",
"version": "r151056",
"versionType": "custom"
},
{
"changes": [
{
"at": "r151054bj",
"status": "unaffected"
}
],
"lessThan": "r151054bj",
"status": "affected",
"version": "r151054",
"versionType": "custom"
},
{
"lessThan": "r151054",
"status": "affected",
"version": "any",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "SmartOS",
"vendor": "Triton Data Center",
"versions": [
{
"changes": [
{
"at": "20260709",
"status": "unaffected"
}
],
"lessThan": "202060709",
"status": "affected",
"version": "any",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sourque"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dan McDonald"
}
],
"datePublic": "2026-07-08T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eThe illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.\u003c/pre\u003e"
}
],
"value": "The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
},
{
"capecId": "CAPEC-30",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T19:29:13.931Z",
"orgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"shortName": "illumos"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters"
},
{
"tags": [
"issue-tracking"
],
"url": "https://illumos.org/issues/18117"
},
{
"tags": [
"patch"
],
"url": "https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update your illumos distro to one that includes 18117\u0027s fix."
}
],
"value": "Update your illumos distro to one that includes 18117\u0027s fix."
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-30T20:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-08T19:00:00.000Z",
"value": "Disclosed"
}
],
"title": "SCTP needs to better-check INIT ACK chunk parameters",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eIn order of recommendation:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e1.) Hotpatch the faulty SCTP input path. \u0026nbsp;See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.\u003c/div\u003e"
}
],
"value": "In order of recommendation:\n\n\n\n\n1.) Hotpatch the faulty SCTP input path. \u00a0See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\n\n\n2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"assignerShortName": "illumos",
"cveId": "CVE-2026-15422",
"datePublished": "2026-07-16T19:29:13.931Z",
"dateReserved": "2026-07-10T15:20:03.858Z",
"dateUpdated": "2026-07-16T19:29:13.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-15422\",\"sourceIdentifier\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"published\":\"2026-07-16T20:16:44.190\",\"lastModified\":\"2026-07-16T20:16:44.190\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.\"}],\"affected\":[{\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"affectedData\":[{\"vendor\":\"illumos\",\"product\":\"illumos-gate\",\"defaultStatus\":\"affected\",\"modules\":[\"kernel\",\"SCTP\"],\"programFiles\":[\"usr/src/uts/common/inet/sctp/sctp_hash.c\"],\"repo\":\"https://github.com/illumos/illumos-gate\",\"versions\":[{\"version\":\"a5407c02d5ed61b29481b9b71f1307d7ebec9e5c\",\"lessThan\":\"53a3efdeff8e6745bbfb69c5360f94962fb79e75\",\"versionType\":\"git\",\"status\":\"affected\",\"changes\":[{\"at\":\"53a3efdeff8e6745bbfb69c5360f94962fb79e75\",\"status\":\"unaffected\"}]}]},{\"vendor\":\"OmniOS\",\"product\":\"OmniOS\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"r151058\",\"lessThan\":\"r151058j\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"r151058j\",\"status\":\"unaffected\"}]},{\"version\":\"r151056\",\"lessThan\":\"r151056aj\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"r151056aj\",\"status\":\"unaffected\"}]},{\"version\":\"r151054\",\"lessThan\":\"r151054bj\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"r151054bj\",\"status\":\"unaffected\"}]},{\"version\":\"any\",\"lessThan\":\"r151054\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Triton Data Center\",\"product\":\"SmartOS\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"any\",\"lessThan\":\"202060709\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"20260709\",\"status\":\"unaffected\"}]}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"PRESENT\",\"Automatable\":\"YES\",\"Recovery\":\"USER\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"HIGH\",\"providerUrgency\":\"RED\"}}]},\"weaknesses\":[{\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"},{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"references\":[{\"url\":\"https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75\",\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\"},{\"url\":\"https://illumos.org/issues/18117\",\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\"},{\"url\":\"https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters\",\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…