CVE-2026-15422 PUBLISHED

SCTP needs to better-check INIT ACK chunk parameters

Assigner: illumos
Reserved: 10.07.2026 Published: 16.07.2026 Updated: 17.07.2026

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red
CVSS Score: 9.1

Product Status

Vendor illumos
Product illumos-gate
Versions Default: affected
  • affected from a5407c02d5ed61b29481b9b71f1307d7ebec9e5c to 53a3efdeff8e6745bbfb69c5360f94962fb79e75 (excl.)
Vendor OmniOS
Product OmniOS
Versions Default: affected
  • affected from r151058 to r151058j (excl.)
  • affected from r151056 to r151056aj (excl.)
  • affected from r151054 to r151054bj (excl.)
  • affected from any to r151054 (excl.)
Vendor Triton Data Center
Product SmartOS
Versions Default: affected
  • affected from any to 202060709 (excl.)

Workarounds

In order of recommendation:

1.) Hotpatch the faulty SCTP input path.  See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact developers@lists.illumos.org.

2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.

Solutions

Update your illumos distro to one that includes 18117's fix.

Credits

  • Sourque finder
  • Dan McDonald remediation developer

References

Problem Types

  • CWE-122 Heap-based buffer overflow CWE
  • CWE-787 Out-of-bounds write CWE

Impacts

  • CAPEC-100 Overflow Buffers
  • CAPEC-30 Hijacking a Privileged Thread of Execution