Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-15422

Summary
Assigner-illumos
Assigner Org ID-0ca53633-f0b5-4853-ba72-e0a2e62000d0
Published At-16 Jul, 2026 | 19:29
Updated At-17 Jul, 2026 | 13:47
Rejected At-
Credits

SCTP needs to better-check INIT ACK chunk parameters

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:illumos
Assigner Org ID:0ca53633-f0b5-4853-ba72-e0a2e62000d0
Published At:16 Jul, 2026 | 19:29
Updated At:17 Jul, 2026 | 13:47
Rejected At:
▼CVE Numbering Authority (CNA)
SCTP needs to better-check INIT ACK chunk parameters

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

Affected Products
Vendor
illumos
Product
illumos-gate
Repo
https://github.com/illumos/illumos-gate
Modules
  • kernel
  • SCTP
Program Files
  • usr/src/uts/common/inet/sctp/sctp_hash.c
Default Status
affected
Versions
Affected
  • From a5407c02d5ed61b29481b9b71f1307d7ebec9e5c before 53a3efdeff8e6745bbfb69c5360f94962fb79e75 (git)
    • -> unaffectedfrom53a3efdeff8e6745bbfb69c5360f94962fb79e75
Vendor
OmniOS
Product
OmniOS
Default Status
affected
Versions
Affected
  • From r151058 before r151058j (custom)
    • -> unaffectedfromr151058j
  • From r151056 before r151056aj (custom)
    • -> unaffectedfromr151056aj
  • From r151054 before r151054bj (custom)
    • -> unaffectedfromr151054bj
  • From any before r151054 (custom)
Vendor
Triton Data Center
Product
SmartOS
Default Status
affected
Versions
Affected
  • From any before 202060709 (custom)
    • -> unaffectedfrom20260709
Problem Types
TypeCWE IDDescription
CWECWE-122CWE-122 Heap-based buffer overflow
CWECWE-787CWE-787 Out-of-bounds write
Type: CWE
CWE ID: CWE-122
Description: CWE-122 Heap-based buffer overflow
Type: CWE
CWE ID: CWE-787
Description: CWE-787 Out-of-bounds write
Metrics
VersionBase scoreBase severityVector
4.09.1CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red
Version: 4.0
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-100CAPEC-100 Overflow Buffers
CAPEC-30CAPEC-30 Hijacking a Privileged Thread of Execution
CAPEC ID: CAPEC-100
Description: CAPEC-100 Overflow Buffers
CAPEC ID: CAPEC-30
Description: CAPEC-30 Hijacking a Privileged Thread of Execution
Solutions

Update your illumos distro to one that includes 18117's fix.

Configurations

Workarounds

In order of recommendation: 1.) Hotpatch the faulty SCTP input path.  See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue's output, contact developers@lists.illumos.org. 2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.

Exploits

Credits

finder
Sourque
remediation developer
Dan McDonald
Timeline
EventDate
Vendor Notified2026-04-30 20:00:00
Disclosed2026-07-08 19:00:00
Event: Vendor Notified
Date: 2026-04-30 20:00:00
Event: Disclosed
Date: 2026-07-08 19:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters
mailing-list
https://illumos.org/issues/18117
issue-tracking
https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75
patch
Hyperlink: https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters
Resource:
mailing-list
Hyperlink: https://illumos.org/issues/18117
Resource:
issue-tracking
Hyperlink: https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:0ca53633-f0b5-4853-ba72-e0a2e62000d0
Published At:16 Jul, 2026 | 20:16
Updated At:17 Jul, 2026 | 18:45

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.1CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red
N/A
Type: Secondary
Version: 4.0
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-122Secondary0ca53633-f0b5-4853-ba72-e0a2e62000d0
CWE-787Secondary0ca53633-f0b5-4853-ba72-e0a2e62000d0
CWE ID: CWE-122
Type: Secondary
Source: 0ca53633-f0b5-4853-ba72-e0a2e62000d0
CWE ID: CWE-787
Type: Secondary
Source: 0ca53633-f0b5-4853-ba72-e0a2e62000d0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e750ca53633-f0b5-4853-ba72-e0a2e62000d0
N/A
https://illumos.org/issues/181170ca53633-f0b5-4853-ba72-e0a2e62000d0
N/A
https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters0ca53633-f0b5-4853-ba72-e0a2e62000d0
N/A
Hyperlink: https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75
Source: 0ca53633-f0b5-4853-ba72-e0a2e62000d0
Resource: N/A
Hyperlink: https://illumos.org/issues/18117
Source: 0ca53633-f0b5-4853-ba72-e0a2e62000d0
Resource: N/A
Hyperlink: https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters
Source: 0ca53633-f0b5-4853-ba72-e0a2e62000d0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found

CVE-2026-15449
Matching Score-6
Assigner-0ca53633-f0b5-4853-ba72-e0a2e62000d0
ShareView Details
Matching Score-6
Assigner-0ca53633-f0b5-4853-ba72-e0a2e62000d0
CVSS Score-5.8||MEDIUM
EPSS-Not Assigned
Published-16 Jul, 2026 | 19:27
Updated-17 Jul, 2026 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOCTOU double copyin in illumos dld ioctl handling causes kernel heap corruption

A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.

Action-Not Available
Vendor-Triton Data CenterOmniOSillumos
Product-illumos-gateOmniOSSmartOS
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2023-31284
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.28% / 19.87%
||
7 Day CHG~0.00%
Published-04 May, 2023 | 00:00
Updated-29 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

illumos illumos-gate before 676abcb has a stack buffer overflow in /dev/net, leading to privilege escalation via a stat on a long file name in /dev/net.

Action-Not Available
Vendor-illumosn/a
Product-illumos-gaten/a
CWE ID-CWE-787
Out-of-bounds Write
Details not found