CVE-2026-23125 PUBLISHED

sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT

Assigner: Linux
Reserved: 13.01.2026 Published: 14.02.2026 Updated: 14.02.2026

In the Linux kernel, the following vulnerability has been resolved:

sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT

A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails:

================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401 Call Trace:

sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189 sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111 sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217 sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169 sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052 sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88 sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243 sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127

The issue is triggered when sctp_auth_asoc_init_active_key() fails in sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the command sequence is currently:

  • SCTP_CMD_PEER_INIT
  • SCTP_CMD_TIMER_STOP (T1_INIT)
  • SCTP_CMD_TIMER_START (T1_COOKIE)
  • SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
  • SCTP_CMD_ASSOC_SHKEY
  • SCTP_CMD_GEN_COOKIE_ECHO

If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL to be queued by sctp_datamsg_from_user().

Since command interpretation stops on failure, no COOKIE_ECHO should been sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As a result, the DATA chunk can be transmitted together with the COOKIE_ECHO in sctp_outq_flush_data(), leading to the observed issue.

Similar to the other places where it calls sctp_auth_asoc_init_active_key() right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting T1_COOKIE. This ensures that if shared key generation fails, authenticated DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT, giving the client another chance to process INIT_ACK and retry key setup.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to 5a309bedf02ee08b0653215f06c94d61ec7a214a (excl.)
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to 784428ab1889eb185a1459e9d6bc52df33d572ef (excl.)
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to e94294798548e8cfbd80869e1d2f97efce92582c (excl.)
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to e7e81abbcc5620c9532080538f9709a6ea382855 (excl.)
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to bf2b543b3cc4ebb4ab5bca4f8dfa5612035d45b8 (excl.)
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to 0c4adb1f391a7b92a0405e9d7c05624c0d9f8a65 (excl.)
  • affected from 730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 to a80c9d945aef55b23b54838334345f20251dad83 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.24 is affected
  • unaffected from 0 to 2.6.24 (excl.)
  • unaffected from 5.10.249 to 5.10.* (incl.)
  • unaffected from 5.15.199 to 5.15.* (incl.)
  • unaffected from 6.1.162 to 6.1.* (incl.)
  • unaffected from 6.6.122 to 6.6.* (incl.)
  • unaffected from 6.12.68 to 6.12.* (incl.)
  • unaffected from 6.18.8 to 6.18.* (incl.)
  • unaffected from 6.19 to * (incl.)

References