CVE Catalog

CVE-2026-52929

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile — higher than 31% of all known CVEs

Summary

In the Linux kernel, a vulnerability in SCTP stream handling causes incomplete rollback when ADD_OUT_STREAMS is denied. Leftover metadata from removed streams can trigger a null-pointer dereference in the scheduler when the stream is re-added.

Risk Assessment

An attacker could exploit this to cause a kernel panic or potentially escalate privileges by manipulating SCTP streams, compromising system stability and security.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit that fully rolls back denied SCTP stream additions). For production systems, apply the security patch from your distributor.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: sctp: stream: fully roll back denied add-stream state When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed stream metadata behind, so a later re-add can reuse a stale ext and hit a null-pointer dereference in the scheduler get path. Fix the rollback by tearing down the removed stream state the same way other stream resizes do. Unschedule the current scheduler state, drop the removed stream ext state with sctp_stream_outq_migrate(), and then reschedule the remaining streams. This keeps scheduler-private RR/FC/PRIO lists consistent while fully rolling back denied outgoing stream additions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS