{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "4910280503f3af2857d5aa77e35b22d93a8960a8"
            },
            {
              "fixed": "f3a3f0b406b4b7eb3cea35a23fa2bf170848b104"
            },
            {
              "fixed": "0dbc8cde64280fc37cdd678cced34eaf96cfb197"
            },
            {
              "fixed": "0c7b55974f97b78d1109025eadf084e74cbf330f"
            },
            {
              "fixed": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
            },
            {
              "fixed": "6187a172d6ed57d6b2c327836e4407c6456e639d"
            },
            {
              "fixed": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
            },
            {
              "fixed": "bf0f40d8107e2ce827521968dc6926f3e13728ae"
            },
            {
              "fixed": "abb5f36771cc4c05899b34000829a787572a8817"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.17.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.90"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.32"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46227.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint's list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for.",
  "id": "CVE-2026-46227",
  "modified": "2026-07-09T03:51:55.105793691Z",
  "published": "2026-05-28T09:40:47.518Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46227.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26462"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26515"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26535"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26563"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:27731"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:27735"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33899"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:34094"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36018"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36348"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:36349"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46227"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46227.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46227"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482564"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL"
}