CVE-2026-23125 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65
https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a
https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef
https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83
https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8
https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855
https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 Call Trace: sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127 The issue is triggered when sctp_auth_asoc_init_active_key() fails in sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the command sequence is currently: - SCTP_CMD_PEER_INIT - SCTP_CMD_TIMER_STOP (T1_INIT) - SCTP_CMD_TIMER_START (T1_COOKIE) - SCTP_CMD_NEW_STATE (COOKIE_ECHOED) - SCTP_CMD_ASSOC_SHKEY - SCTP_CMD_GEN_COOKIE_ECHO If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL to be queued by sctp_datamsg_from_user(). Since command interpretation stops on failure, no COOKIE_ECHO should been sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As a result, the DATA chunk can be transmitted together with the COOKIE_ECHO in sctp_outq_flush_data(), leading to the observed issue. Similar to the other places where it calls sctp_auth_asoc_init_active_key() right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting T1_COOKIE. This ensures that if shared key generation fails, authenticated DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, giving the client another chance to process INIT_ACK and retry key setup.
Title		sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65 https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83 https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8 https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855 https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23125", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.970Z", "datePublished": "2026-02-14T15:09:54.756Z", "dateUpdated": "2026-02-14T15:09:54.756Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-14T15:09:54.756Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n Call Trace:\n\n sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while\nasoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sctp/sm_statefuns.c"], "versions": [{"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "5a309bedf02ee08b0653215f06c94d61ec7a214a", "status": "affected", "versionType": "git"}, {"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "784428ab1889eb185a1459e9d6bc52df33d572ef", "status": "affected", "versionType": "git"}, {"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "e94294798548e8cfbd80869e1d2f97efce92582c", "status": "affected", "versionType": "git"}, {"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "e7e81abbcc5620c9532080538f9709a6ea382855", "status": "affected", "versionType": "git"}, {"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8", "status": "affected", "versionType": "git"}, {"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65", "status": "affected", "versionType": "git"}, {"version": "730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5", "lessThan": "a80c9d945aef55b23b54838334345f20251dad83", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sctp/sm_statefuns.c"], "versions": [{"version": "2.6.24", "status": "affected"}, {"version": "0", "lessThan": "2.6.24", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a"}, {"url": "https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef"}, {"url": "https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c"}, {"url": "https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855"}, {"url": "https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8"}, {"url": "https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65"}, {"url": "https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83"}], "title": "sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT\n\nA null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key\ninitialization fails:\n\n ==================================================================\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2\n RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]\n RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401\n Call Trace:\n\n sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189\n sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111\n sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217\n sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787\n sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]\n sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169\n sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052\n sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88\n sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243\n sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127\n\nThe issue is triggered when sctp_auth_asoc_init_active_key() fails in\nsctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the\ncommand sequence is currently:\n\n- SCTP_CMD_PEER_INIT\n- SCTP_CMD_TIMER_STOP (T1_INIT)\n- SCTP_CMD_TIMER_START (T1_COOKIE)\n- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)\n- SCTP_CMD_ASSOC_SHKEY\n- SCTP_CMD_GEN_COOKIE_ECHO\n\nIf SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while\nasoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by\nSCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL\nto be queued by sctp_datamsg_from_user().\n\nSince command interpretation stops on failure, no COOKIE_ECHO should been\nsent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already\nbeen started, and it may enqueue a COOKIE_ECHO into the outqueue later. As\na result, the DATA chunk can be transmitted together with the COOKIE_ECHO\nin sctp_outq_flush_data(), leading to the observed issue.\n\nSimilar to the other places where it calls sctp_auth_asoc_init_active_key()\nright after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY\nimmediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting\nT1_COOKIE. This ensures that if shared key generation fails, authenticated\nDATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,\ngiving the client another chance to process INIT_ACK and retry key setup."}], "id": "CVE-2026-23125", "lastModified": "2026-02-14T15:16:07.740", "metrics": {}, "published": "2026-02-14T15:16:07.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5a309bedf02ee08b0653215f06c94d61ec7a214a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/784428ab1889eb185a1459e9d6bc52df33d572ef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a80c9d945aef55b23b54838334345f20251dad83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e7e81abbcc5620c9532080538f9709a6ea382855"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e94294798548e8cfbd80869e1d2f97efce92582c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object