Описание
In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.
Отчет
A missing data buffer (frag_list) in SCTP chunk processing could trigger a NULL pointer dereference when handling GSO packets. A remote attacker sending a malformed SCTP packet could cause a kernel crash (DoS). The system is vulnerable only if CONFIG_IP_SCTP enabled in Kernel configuration (and for the Red Hat Enterprise Linux it is always disabled in older versions and enabled as module in latest versions only). However even if module exists in Red Hat Enterprise Linux, still admin need to specially enable it usage (make some SCTP listening port available) before exploitation would be possible.
Меры по смягчению последствий
To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2026:0453 | 12.01.2026 |
| Red Hat Enterprise Linux 10.0 Extended Update Support | kernel | Fixed | RHSA-2026:1727 | 02.02.2026 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2026:0443 | 12.01.2026 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2026:0444 | 12.01.2026 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | kernel | Fixed | RHSA-2026:2535 | 11.02.2026 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | kernel | Fixed | RHSA-2026:2535 | 11.02.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.
In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.
sctp: avoid NULL dereference when chunk data buffer is missing
In the Linux kernel, the following vulnerability has been resolved: s ...
In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.
EPSS
7.5 High
CVSS3