{"id":66632,"date":"2026-06-28T03:36:02","date_gmt":"2026-06-28T03:36:02","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=66632"},"modified":"2026-06-28T03:36:02","modified_gmt":"2026-06-28T03:36:02","slug":"sctp-purge-outqueue-on-stale-cookie-echo-handling","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=66632","title":{"rendered":"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924"},"content":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: purge outqueue on stale COOKIE-ECHO handling\\n\\nsctp_stream_update() is only invoked when the association is moved into\\nCOOKIE_WAIT during association setup\/reconfiguration. In this path, the\\noutbound stream scheduler state (stream-\\u003eout_curr) is expected to be\\nclean, since no user data should have been transmitted yet unless the\\nstate machine has already partially progressed.\\n\\nHowever, a corner case exists in sctp_sf_do_5_2_6_stale(): when a\\nStale Cookie ERROR is received, the association is rolled back from\\nCOOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already\\nhave been queued and even bundled with the COOKIE-ECHO chunk.\\n\\nDuring the rollback, sctp_stream_update() frees the old stream table\\nand installs a new one, but it does not invalidate stream-\\u003eout_curr.\\nAs a result, out_curr may still point to a freed sctp_stream_out\\nentry from the previous stream state.\\n\\nLater, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on\\nstream-\\u003eout_curr-\\u003eext, which can lead to use-after-free once the old\\nstream state has been released via sctp_stream_free().\\n\\nThis results in crashes such as (reported by Yuqi):\\n\\n BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a\/0x140\\n Read of size 8 at addr ff1100004d4d3208 by task mini_poc\/9312\\n CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted\\n 7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)\\n sctp_sched_fcfs_dequeue+0x13a\/0x140\\n sctp_outq_flush+0x1603\/0x33e0\\n sctp_do_sm+0x31c9\/0x5d30\\n sctp_assoc_bh_rcv+0x392\/0x6f0\\n sctp_inq_push+0x1db\/0x270\\n sctp_rcv+0x138d\/0x3c10\\n\\nFix this by fully purging the association outqueue when handling the\\nStale Cookie case. This ensures all pending transmit and retransmit\\nstate is dropped, and any scheduler cached pointers are invalidated,\\nmaking it safe to rebuild stream state during COOKIE_WAIT restart.\\n\\nUpdating only stream-\\u003eout_curr would be insufficient, since queued\\nand retransmittable data would still reference the old stream state and\\ntrigger later use-after-free in dequeue paths.”,”published”:”2026-06-24T07:14:18.646Z”,”modified”:”2026-06-28T06:36:46.646Z”,”type”:”cve”,”title”:”sctp: purge outqueue on stale COOKIE-ECHO handling”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/84b7a319105db2f917ccdcf502bdc866082b1285\\nhttps:\/\/git.kernel.org\/stable\/c\/f46e1d1a758878f0d22c4fbbd1bf42bb7165d1e8\\nhttps:\/\/git.kernel.org\/stable\/c\/3c0741a441a7df7099d7ca6a64a6a0de09c677c8\\nhttps:\/\/git.kernel.org\/stable\/c\/2afc9e684dc7fecf73db1edc937ebbc47b4b68dc\\nhttps:\/\/git.kernel.org\/stable\/c\/1d4652f677906a64487c13f9ace54b0eb263b5d0\\nhttps:\/\/git.kernel.org\/stable\/c\/a6207349e703cfc04756a4d16dec9176135813a5\\nhttps:\/\/git.kernel.org\/stable\/c\/83ade59e5da365f4bf8bce72c5a38774202b442f\\nhttps:\/\/git.kernel.org\/stable\/c\/e374b22e9b07b72a25909621464ff74096151bfb”,”id”:”CVE-2026-52924″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51\\nLinux Linux 4.15″,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”5bbbbe32a43199c2b9ea5ea66fab6241c64beb51″,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: purge outqueue on stale COOKIE-ECHO handling\\n\\nsctp_stream_update() is only invoked when the association is moved into\\nCOOKIE_WAIT…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,35,12,13,7,11,5],"class_list":["post-66632","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nsctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=66632\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnsctp: purge outqueue on stale COOKIE-ECHO handlingnnsctp_stream_update() is only invoked when the association is moved intonCOOKIE_WAIT...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=66632\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-28T03:36:02+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924\",\"datePublished\":\"2026-06-28T03:36:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632\"},\"wordCount\":708,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=66632#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632\",\"name\":\"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-28T03:36:02+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=66632\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=66632#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=66632","og_locale":"en_US","og_type":"article","og_title":"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924 - zero redgem","og_description":"{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:nnsctp: purge outqueue on stale COOKIE-ECHO handlingnnsctp_stream_update() is only invoked when the association is moved intonCOOKIE_WAIT...","og_url":"https:\/\/zero.redgem.net\/?p=66632","og_site_name":"zero redgem","article_published_time":"2026-06-28T03:36:02+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=66632#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=66632"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924","datePublished":"2026-06-28T03:36:02+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=66632"},"wordCount":708,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=66632#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=66632","url":"https:\/\/zero.redgem.net\/?p=66632","name":"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-28T03:36:02+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=66632#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=66632"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=66632#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"sctp: purge outqueue on stale COOKIE-ECHO handling_CVE-2026-52924"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/66632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=66632"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/66632\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=66632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=66632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=66632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}