CVE-2026-52929 - Vulnerability Details

- sctp: stream: fully roll back denied add-stream state

Description

In the Linux kernel, the following vulnerability has been resolved:

sctp: stream: fully roll back denied add-stream state

When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
then lowers outcnt. That leaves removed stream metadata behind, so a
later re-add can reuse a stale ext and hit a null-pointer dereference in
the scheduler get path.

Fix the rollback by tearing down the removed stream state the same way
other stream resizes do. Unschedule the current scheduler state, drop
the removed stream ext state with sctp_stream_outq_migrate(), and then
reschedule the remaining streams.

This keeps scheduler-private RR/FC/PRIO lists consistent while fully
rolling back denied outgoing stream additions.

Published: 2026-06-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< 0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< a6724b7b812ac8793514a1d5938db5d9d29ae725
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< 9662eb0401518f0b4681f10e7fbf688f504f24cf
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< 7dd9a42b044aad2dbe037db1c1e2943582485b44
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< 39dc2b0eb5371a669ebc9ec6072b9184eac95418
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< d5ea0b3e261fcb2cfff142675516165244cab1da
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< 1c6773b8c081509dcd5cd2954f2b02c50c00f151
`637784ade221a3c8a7ecd0f583eddd95d6276b9a`	affected	< a5f8a90ac9f77c678a9781c0a464b635e0d63e49

Linux

affected

Version	Status	Constraints
`4.15`	affected	—
`0`	unaffected	< 4.15
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,a6724b7b812ac8793514a1d5938db5d9d29ae725)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,9662eb0401518f0b4681f10e7fbf688f504f24cf)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,7dd9a42b044aad2dbe037db1c1e2943582485b44)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,39dc2b0eb5371a669ebc9ec6072b9184eac95418)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,d5ea0b3e261fcb2cfff142675516165244cab1da)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,1c6773b8c081509dcd5cd2954f2b02c50c00f151)`	affected	code_commit	—
`[637784ade221a3c8a7ecd0f583eddd95d6276b9a,a5f8a90ac9f77c678a9781c0a464b635e0d63e49)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.15`	affected	generic	—
`[0,4.15)`	unaffected	generic	—
`[5.10.259,5.10.*]`	unaffected	generic	—
`[5.15.210,5.15.*]`	unaffected	generic	—
`[6.1.176,6.1.*]`	unaffected	generic	—
`[6.6.143,6.6.*]`	unaffected	generic	—
`[6.12.94,6.12.*]`	unaffected	generic	—
`[7.0.13,7.0.*]`	unaffected	generic	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00394.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85
https://git.kernel.org/stable/c/1c6773b8c081509dcd5cd2954f2b02c50c00f151
https://git.kernel.org/stable/c/39dc2b0eb5371a669ebc9ec6072b9184eac95418
https://git.kernel.org/stable/c/7dd9a42b044aad2dbe037db1c1e2943582485b44
https://git.kernel.org/stable/c/9662eb0401518f0b4681f10e7fbf688f504f24cf
https://git.kernel.org/stable/c/a5f8a90ac9f77c678a9781c0a464b635e0d63e49
https://git.kernel.org/stable/c/a6724b7b812ac8793514a1d5938db5d9d29ae725
https://git.kernel.org/stable/c/d5ea0b3e261fcb2cfff142675516165244cab1da
https://lore.kernel.org/linux-cve-announce/2026062432-CVE-2026-52929-63ee@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-52929
https://www.cve.org/CVERecord?id=CVE-2026-52929

History

Sun, 28 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 25 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026062432-CVE-2026-52929-63ee@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-52929 https://www.cve.org/CVERecord?id=CVE-2026-52929
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 24 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 24 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: sctp: stream: fully roll back denied add-stream state When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed stream metadata behind, so a later re-add can reuse a stale ext and hit a null-pointer dereference in the scheduler get path. Fix the rollback by tearing down the removed stream state the same way other stream resizes do. Unschedule the current scheduler state, drop the removed stream ext state with sctp_stream_outq_migrate(), and then reschedule the remaining streams. This keeps scheduler-private RR/FC/PRIO lists consistent while fully rolling back denied outgoing stream additions.
Title		sctp: stream: fully roll back denied add-stream state
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85 https://git.kernel.org/stable/c/1c6773b8c081509dcd5cd2954f2b02c50c00f151 https://git.kernel.org/stable/c/39dc2b0eb5371a669ebc9ec6072b9184eac95418 https://git.kernel.org/stable/c/7dd9a42b044aad2dbe037db1c1e2943582485b44 https://git.kernel.org/stable/c/9662eb0401518f0b4681f10e7fbf688f504f24cf https://git.kernel.org/stable/c/a5f8a90ac9f77c678a9781c0a464b635e0d63e49 https://git.kernel.org/stable/c/a6724b7b812ac8793514a1d5938db5d9d29ae725 https://git.kernel.org/stable/c/d5ea0b3e261fcb2cfff142675516165244cab1da

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T07:14:22.020Z

Updated: 2026-06-28T06:36:49.598Z

Reserved: 2026-06-09T07:44:35.368Z

Link: CVE-2026-52929

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52929 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses

CWE-825

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object