CVE-2026-15422 (GCVE-0-2026-15422)

Vulnerability from cvelistv5 – Published: 2026-07-16 19:29 – Updated: 2026-07-16 19:29
VLAI
Title
SCTP needs to better-check INIT ACK chunk parameters
Summary
The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.
CWE
Assigner
Impacted products
Vendor Product Version
illumos illumos-gate Affected: a5407c02d5ed61b29481b9b71f1307d7ebec9e5c , < 53a3efdeff8e6745bbfb69c5360f94962fb79e75 (git)
Create a notification for this product.
OmniOS OmniOS Affected: r151058 , < r151058j (custom)
Affected: r151056 , < r151056aj (custom)
Affected: r151054 , < r151054bj (custom)
Affected: any , < r151054 (custom)
Create a notification for this product.
Triton Data Center SmartOS Affected: any , < 202060709 (custom)
Create a notification for this product.
Date Public
2026-07-08 18:00
Credits
Sourque Dan McDonald
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "modules": [
            "kernel",
            "SCTP"
          ],
          "product": "illumos-gate",
          "programFiles": [
            "usr/src/uts/common/inet/sctp/sctp_hash.c"
          ],
          "repo": "https://github.com/illumos/illumos-gate",
          "vendor": "illumos",
          "versions": [
            {
              "changes": [
                {
                  "at": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
                  "status": "unaffected"
                }
              ],
              "lessThan": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
              "status": "affected",
              "version": "a5407c02d5ed61b29481b9b71f1307d7ebec9e5c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "OmniOS",
          "vendor": "OmniOS",
          "versions": [
            {
              "changes": [
                {
                  "at": "r151058j",
                  "status": "unaffected"
                }
              ],
              "lessThan": "r151058j",
              "status": "affected",
              "version": "r151058",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "r151056aj",
                  "status": "unaffected"
                }
              ],
              "lessThan": "r151056aj",
              "status": "affected",
              "version": "r151056",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "r151054bj",
                  "status": "unaffected"
                }
              ],
              "lessThan": "r151054bj",
              "status": "affected",
              "version": "r151054",
              "versionType": "custom"
            },
            {
              "lessThan": "r151054",
              "status": "affected",
              "version": "any",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "SmartOS",
          "vendor": "Triton Data Center",
          "versions": [
            {
              "changes": [
                {
                  "at": "20260709",
                  "status": "unaffected"
                }
              ],
              "lessThan": "202060709",
              "status": "affected",
              "version": "any",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Sourque"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Dan McDonald"
        }
      ],
      "datePublic": "2026-07-08T18:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cpre\u003eThe illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.\u003c/pre\u003e"
            }
          ],
          "value": "The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        },
        {
          "capecId": "CAPEC-30",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-16T19:29:13.931Z",
        "orgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
        "shortName": "illumos"
      },
      "references": [
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://illumos.org/issues/18117"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update your illumos distro to one that includes 18117\u0027s fix."
            }
          ],
          "value": "Update your illumos distro to one that includes 18117\u0027s fix."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-30T20:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-08T19:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "SCTP needs to better-check INIT ACK chunk parameters",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eIn order of recommendation:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e1.) Hotpatch the faulty SCTP input path. \u0026nbsp;See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.\u003c/div\u003e"
            }
          ],
          "value": "In order of recommendation:\n\n\n\n\n1.) Hotpatch the faulty SCTP input path. \u00a0See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\n\n\n2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
    "assignerShortName": "illumos",
    "cveId": "CVE-2026-15422",
    "datePublished": "2026-07-16T19:29:13.931Z",
    "dateReserved": "2026-07-10T15:20:03.858Z",
    "dateUpdated": "2026-07-16T19:29:13.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-15422\",\"sourceIdentifier\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"published\":\"2026-07-16T20:16:44.190\",\"lastModified\":\"2026-07-16T20:16:44.190\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.\"}],\"affected\":[{\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"affectedData\":[{\"vendor\":\"illumos\",\"product\":\"illumos-gate\",\"defaultStatus\":\"affected\",\"modules\":[\"kernel\",\"SCTP\"],\"programFiles\":[\"usr/src/uts/common/inet/sctp/sctp_hash.c\"],\"repo\":\"https://github.com/illumos/illumos-gate\",\"versions\":[{\"version\":\"a5407c02d5ed61b29481b9b71f1307d7ebec9e5c\",\"lessThan\":\"53a3efdeff8e6745bbfb69c5360f94962fb79e75\",\"versionType\":\"git\",\"status\":\"affected\",\"changes\":[{\"at\":\"53a3efdeff8e6745bbfb69c5360f94962fb79e75\",\"status\":\"unaffected\"}]}]},{\"vendor\":\"OmniOS\",\"product\":\"OmniOS\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"r151058\",\"lessThan\":\"r151058j\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"r151058j\",\"status\":\"unaffected\"}]},{\"version\":\"r151056\",\"lessThan\":\"r151056aj\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"r151056aj\",\"status\":\"unaffected\"}]},{\"version\":\"r151054\",\"lessThan\":\"r151054bj\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"r151054bj\",\"status\":\"unaffected\"}]},{\"version\":\"any\",\"lessThan\":\"r151054\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Triton Data Center\",\"product\":\"SmartOS\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"any\",\"lessThan\":\"202060709\",\"versionType\":\"custom\",\"status\":\"affected\",\"changes\":[{\"at\":\"20260709\",\"status\":\"unaffected\"}]}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"PRESENT\",\"Automatable\":\"YES\",\"Recovery\":\"USER\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"HIGH\",\"providerUrgency\":\"RED\"}}]},\"weaknesses\":[{\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"},{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"references\":[{\"url\":\"https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75\",\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\"},{\"url\":\"https://illumos.org/issues/18117\",\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\"},{\"url\":\"https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters\",\"source\":\"0ca53633-f0b5-4853-ba72-e0a2e62000d0\"}]}}"
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…