CVE-2026-46227
Public on
Last Modified:
Description
A flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A race condition exists in the SCTP_SENDALL path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker (via a network abort) to trigger a use-after-free or type confusion vulnerability. Successful exploitation can lead to a controlled indirect call, potentially resulting in arbitrary code execution.
Statement
A stale list cursor in the SCTP_SENDALL path can be used after sctp_sendmsg_to_asoc() temporarily drops the socket lock while waiting for send buffer space. During this window another local thread can peel off or close the cached next association, or the association can be removed by a network ABORT, leaving the iterator to advance to a freed or migrated object. This creates a use after free or type confusion in the SCTP association list walk and may allow kernel memory corruption. For the CVSS the PR:L is used because triggering requires a local unprivileged process with access to SCTP socket operations, not administrator rights. The issue is not a pure remote network bug because local code execution is needed to drive SCTP_SENDALL and related socket operations, although network ABORT traffic can participate in one removal path.
Mitigation
To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Additional Information
- This content is not included.Bugzilla 2482564: kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
- Content from cwe.mitre.org is not included.CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
- FAQ: Frequently asked questions about CVE-2026-46227
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.
External References
Content from www.cve.org is not included.https://www.cve.org/CVERecord?id=CVE-2026-46227
Content from nvd.nist.gov is not included.https://nvd.nist.gov/vuln/detail/CVE-2026-46227
Affected Packages and Issued Red Hat Security Errata
| Products / Services | Components | State | Errata |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Affected | |
| Red Hat Enterprise Linux 10.0 Extended Update Support | kernel | Fixed | This content is not included.RHSA-2026:27731 |
| Red Hat Enterprise Linux 6 | kernel | Not affected | |
| Red Hat Enterprise Linux 7 | kernel | Not affected | |
| Red Hat Enterprise Linux 8 | kernel | Affected | |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2026:26535 |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | kernel | Fixed | RHSA-2026:26535 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | kernel | Fixed | RHSA-2026:26563 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | kernel | Fixed | RHSA-2026:26563 |
| Red Hat Enterprise Linux 9 | kernel | Affected | |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | kernel-rt | Fixed | RHSA-2026:26462 |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | kernel | Fixed | RHSA-2026:26515 |
| Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions | kernel | Fixed | This content is not included.RHSA-2026:27735 |
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authorities (CNA) source for its products and services (see Red Hat classifications ).
| CVSS v3 Score Breakdown | Red Hat | NVD |
|---|---|---|
| CVSS v3 Base Score | 7 | |
| Attack Vector | Local | |
| Attack Complexity | High | |
| Privileges Required | Low | |
| User Interaction | None | |
| Scope | Unchanged | |
| Confidentiality Impact | High | |
| Integrity Impact | High | |
| Availability Impact | High |
CVSS v3 Vector
Red Hat CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
For more information, see https://access.redhat.com/solutions/762393.
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
- "Under investigation" doesn't necessarily mean that the product is affected by this vulnerability. It only means that our Analysis Team is still working on determining whether the product is affected and how it is affected.
- "Affected" means that our Analysis Team has determined that this product is affected by this vulnerability and might release a fix to address this in the near future.
What can I do if my product is listed as "Will not fix"?
Available options depend mostly on the Impact of the vulnerability and the current Life Cycle phase of your product. Overall, you have the following options:
- Upgrade to a supported product version that includes a fix for this vulnerability (recommended).
- Apply a mitigation (if one exists).
- Open a This content is not included.support case to request a prioritization of releasing a fix for this vulnerability.
What can I do if my product is listed as "Fix deferred"?
Available options depend mostly on the Impact of the vulnerability and the current Life Cycle phase of your product. Overall, you have the following options:
- Apply a mitigation (if one exists).
- Open a This content is not included.support case to request a prioritization of releasing a fix for this vulnerability.
- Red Hat Engineering focuses on addressing high-priority issues based on their complexity or limited lifecycle support. Therefore, lower-priority issues will not receive immediate fixes.
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
My product is listed as "Out of Support Scope". What does this mean?
Not sure what something means? Check out our Security Glossary.