{
  "threat_severity" : "Important",
  "public_date" : "2026-05-28T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
    "id" : "2482564",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482564"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-367",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep->asocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint's list head (type\nconfusion of &newep->asocs as a struct sctp_association *).\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched->init_sid pointer.\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep->asocs at that point: the\nonly callers that list_del an association from ep->asocs are\nsctp_association_free() (which sets asoc->base.dead) and\nsctp_assoc_migrate() (which changes asoc->base.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err < 0 and the loop\nbails before the re-derive.\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for.", "A flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A race condition exists in the `SCTP_SENDALL` path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker (via a network abort) to trigger a use-after-free or type confusion vulnerability. Successful exploitation can lead to a controlled indirect call, potentially resulting in arbitrary code execution." ],
  "statement" : "A stale list cursor in the SCTP_SENDALL path can be used after sctp_sendmsg_to_asoc() temporarily drops the socket lock while waiting for send buffer space. During this window another local thread can peel off or close the cached next association, or the association can be removed by a network ABORT, leaving the iterator to advance to a freed or migrated object. This creates a use after free or type confusion in the SCTP association list walk and may allow kernel memory corruption. For the CVSS the PR:L is used because triggering requires a local unprivileged process with access to SCTP socket operations, not administrator rights. The issue is not a pure remote network bug because local code execution is needed to drive SCTP_SENDALL and related socket operations, although network ABORT traffic can participate in one removal path.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27731",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.82.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26535",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.194.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26535",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.194.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26563",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.147.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26563",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.147.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26515",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.176.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26462",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.176.1.rt14.461.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27735",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.4",
    "package" : "kernel-0:5.14.0-427.132.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46227\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46227\nhttps://lore.kernel.org/linux-cve-announce/2026052838-CVE-2026-46227-4bf1@gregkh/T" ],
  "name" : "CVE-2026-46227",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}