FKIE_CVE-2026-15422
Vulnerability from fkie_nvd - Published: 2026-07-16 20:16 - Updated: 2026-07-16 20:16
Severity
Summary
The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "affected",
"modules": [
"kernel",
"SCTP"
],
"product": "illumos-gate",
"programFiles": [
"usr/src/uts/common/inet/sctp/sctp_hash.c"
],
"repo": "https://github.com/illumos/illumos-gate",
"vendor": "illumos",
"versions": [
{
"changes": [
{
"at": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
"status": "unaffected"
}
],
"lessThan": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
"status": "affected",
"version": "a5407c02d5ed61b29481b9b71f1307d7ebec9e5c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "OmniOS",
"vendor": "OmniOS",
"versions": [
{
"changes": [
{
"at": "r151058j",
"status": "unaffected"
}
],
"lessThan": "r151058j",
"status": "affected",
"version": "r151058",
"versionType": "custom"
},
{
"changes": [
{
"at": "r151056aj",
"status": "unaffected"
}
],
"lessThan": "r151056aj",
"status": "affected",
"version": "r151056",
"versionType": "custom"
},
{
"changes": [
{
"at": "r151054bj",
"status": "unaffected"
}
],
"lessThan": "r151054bj",
"status": "affected",
"version": "r151054",
"versionType": "custom"
},
{
"lessThan": "r151054",
"status": "affected",
"version": "any",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "SmartOS",
"vendor": "Triton Data Center",
"versions": [
{
"changes": [
{
"at": "20260709",
"status": "unaffected"
}
],
"lessThan": "202060709",
"status": "affected",
"version": "any",
"versionType": "custom"
}
]
}
],
"source": "0ca53633-f0b5-4853-ba72-e0a2e62000d0"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde."
}
],
"id": "CVE-2026-15422",
"lastModified": "2026-07-16T20:16:44.190",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"source": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"type": "Secondary"
}
]
},
"published": "2026-07-16T20:16:44.190",
"references": [
{
"source": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"url": "https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75"
},
{
"source": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"url": "https://illumos.org/issues/18117"
},
{
"source": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"url": "https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters"
}
],
"sourceIdentifier": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-122"
},
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…