CVE-2026-23125 (GCVE-0-2026-23125)

Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
Title
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
Summary
In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 Call Trace: sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 The issue is triggered when sctp_auth_asoc_init_active_key() fails in sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the command sequence is currently: - SCTP_CMD_PEER_INIT - SCTP_CMD_TIMER_STOP (T1_INIT) - SCTP_CMD_TIMER_START (T1_COOKIE) - SCTP_CMD_NEW_STATE (COOKIE_ECHOED) - SCTP_CMD_ASSOC_SHKEY - SCTP_CMD_GEN_COOKIE_ECHO If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL to be queued by sctp_datamsg_from_user(). Since command interpretation stops on failure, no COOKIE_ECHO should been sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As a result, the DATA chunk can be transmitted together with the COOKIE_ECHO in sctp_outq_flush_data(), leading to the observed issue. Similar to the other places where it calls sctp_auth_asoc_init_active_key() right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting T1_COOKIE. This ensures that if shared key generation fails, authenticated DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, giving the client another chance to process INIT_ACK and retry key setup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 5a309bedf02ee08b0653215f06c94d61ec7a214a (git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 784428ab1889eb185a1459e9d6bc52df33d572ef (git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < e94294798548e8cfbd80869e1d2f97efce92582c (git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < e7e81abbcc5620c9532080538f9709a6ea382855 (git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8 (git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < 0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65 (git)
Affected: 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 , < a80c9d945aef55b23b54838334345f20251dad83 (git)
Create a notification for this product.
    Linux Linux Affected: 2.6.24
Unaffected: 0 , < 2.6.24 (semver)
Unaffected: 5.10.249 , ≤ 5.10.* (semver)
Unaffected: 5.15.199 , ≤ 5.15.* (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a309bedf02ee08b0653215f06c94d61ec7a214a",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            },
            {
              "lessThan": "784428ab1889eb185a1459e9d6bc52df33d572ef",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            },
            {
              "lessThan": "e94294798548e8cfbd80869e1d2f97efce92582c",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            },
            {
              "lessThan": "e7e81abbcc5620c9532080538f9709a6ea382855",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            },
            {
              "lessThan": "bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            },
            {
              "lessThan": "0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            },
            {
              "lessThan": "a80c9d945aef55b23b54838334345f20251dad83",
              "status": "affected",
              "version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n  ==================================================================\n  KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n  CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n  RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n  RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n  Call Trace:\n\n  sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n  sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n  sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n  sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n  sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n  sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n  sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n  sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n  sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc-\u003eshkey remains NULL, while\nasoc-\u003epeer.auth_capable and asoc-\u003epeer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T15:09:54.756Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a"
        },
        {
          "url": "https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65"
        },
        {
          "url": "https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83"
        }
      ],
      "title": "sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23125",
    "datePublished": "2026-02-14T15:09:54.756Z",
    "dateReserved": "2026-01-13T15:37:45.970Z",
    "dateUpdated": "2026-02-14T15:09:54.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23125\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T15:16:07.740\",\"lastModified\":\"2026-02-14T15:16:07.740\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\\n\\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\\ninitialization fails:\\n\\n  ==================================================================\\n  KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\\n  CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\\n  RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\\n  RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\\n  Call Trace:\\n\\n  sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\\n  sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\\n  sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\\n  sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\\n  sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\\n  sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\\n  sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\\n  sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\\n  sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\\n  sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\\n\\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\\ncommand sequence is currently:\\n\\n- SCTP_CMD_PEER_INIT\\n- SCTP_CMD_TIMER_STOP (T1_INIT)\\n- SCTP_CMD_TIMER_START (T1_COOKIE)\\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\\n- SCTP_CMD_ASSOC_SHKEY\\n- SCTP_CMD_GEN_COOKIE_ECHO\\n\\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc-\u003eshkey remains NULL, while\\nasoc-\u003epeer.auth_capable and asoc-\u003epeer.peer_chunks have already been set by\\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\\nto be queued by sctp_datamsg_from_user().\\n\\nSince command interpretation stops on failure, no COOKIE_ECHO should been\\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\\nin sctp_outq_flush_data(), leading to the observed issue.\\n\\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\\ngiving the client another chance to process INIT_ACK and retry key setup.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.