CVE-2026-46227 (GCVE-0-2026-46227)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:40 – Updated: 2026-06-30 12:10
VLAI
Title
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
Summary
In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < f3a3f0b406b4b7eb3cea35a23fa2bf170848b104 (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 0dbc8cde64280fc37cdd678cced34eaf96cfb197 (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 0c7b55974f97b78d1109025eadf084e74cbf330f (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078 (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < 6187a172d6ed57d6b2c327836e4407c6456e639d (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < c9dadb31f36045a8cb65df4bd75e7237ef21a4b5 (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < bf0f40d8107e2ce827521968dc6926f3e13728ae (git)
Affected: 4910280503f3af2857d5aa77e35b22d93a8960a8 , < abb5f36771cc4c05899b34000829a787572a8817 (git)
Create a notification for this product.
Linux Linux Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 5.10.258 , ≤ 5.10.* (semver)
Unaffected: 5.15.209 , ≤ 5.15.* (semver)
Unaffected: 6.1.175 , ≤ 6.1.* (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.90 , ≤ 6.12.* (semver)
Unaffected: 6.18.32 , ≤ 6.18.* (semver)
Unaffected: 7.0.9 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.4)     cpe:/a:redhat:rhel_e4s:9.4::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.4)     cpe:/o:redhat:rhel_aus:8.4::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)     cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.8)     cpe:/o:redhat:rhel_e4s:8.8::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.8)     cpe:/o:redhat:rhel_tus:8.8::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.2)     cpe:/o:redhat:rhel_e4s:9.2::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.4)     cpe:/o:redhat:rhel_e4s:9.4::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::nfv
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)     cpe:/a:redhat:rhel_e4s:9.4::nfv
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::realtime
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time E4S (v.9.4)     cpe:/a:redhat:rhel_e4s:9.4::realtime
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_aus:8.4::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:8.8::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_tus:8.8::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:9.2::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:9.4::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::nfv"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.4::nfv"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::realtime"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.4::realtime"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time E4S (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-28T00:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in the Linux kernel\u0027s Stream Control Transmission Protocol (SCTP) implementation. A race condition exists in the `SCTP_SENDALL` path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker (via a network abort) to trigger a use-after-free or type confusion vulnerability. Successful exploitation can lead to a controlled indirect call, potentially resulting in arbitrary code execution."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-367",
                "description": "Time-of-check Time-of-use (TOCTOU) Race Condition",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:10:08.705Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-46227"
          },
          {
            "name": "RHBZ#2482564",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482564"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46227.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27731"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26515"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27735"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26535"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26563"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26462"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26515: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27735: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26535: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26563: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26462: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-28T00:00:00.000Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-28T00:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f3a3f0b406b4b7eb3cea35a23fa2bf170848b104",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "0dbc8cde64280fc37cdd678cced34eaf96cfb197",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "0c7b55974f97b78d1109025eadf084e74cbf330f",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "6187a172d6ed57d6b2c327836e4407c6456e639d",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "c9dadb31f36045a8cb65df4bd75e7237ef21a4b5",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "bf0f40d8107e2ce827521968dc6926f3e13728ae",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            },
            {
              "lessThan": "abb5f36771cc4c05899b34000829a787572a8817",
              "status": "affected",
              "version": "4910280503f3af2857d5aa77e35b22d93a8960a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/socket.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.90",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.32",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.9",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\n\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\ndrop the socket lock inside sctp_wait_for_sndbuf().\n\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\nassociation cached in @tmp, migrating it to a new endpoint via\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\nnewep-\u003easocs), and optionally close the new socket which frees the\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\nnetwork ABORT for that association, processed in softirq while the\nlock is dropped.\n\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\nvia the \"sk != asoc-\u003ebase.sk\" and \"asoc-\u003ebase.dead\" checks, but nothing\nrevalidates @tmp.  After a successful return, the iterator advances to\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\n\nBoth are reachable from CapEff=0; the type-confusion path gives\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\n\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\nonly callers that list_del an association from ep-\u003easocs are\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\nsctp_wait_for_sndbuf() checks both under the lock before any\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\nbails before the re-derive.\n\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\nthe @tmp cached by list_for_each_entry_safe() still covers the\nlock-held free that ba59fb027307 (\"sctp: walk the list of asoc\nsafely\") was added for."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T18:04:07.453Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078"
        },
        {
          "url": "https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817"
        }
      ],
      "title": "sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46227",
    "datePublished": "2026-05-28T09:40:47.518Z",
    "dateReserved": "2026-05-13T15:03:33.106Z",
    "dateUpdated": "2026-06-30T12:10:08.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46227",
      "date": "2026-06-30",
      "epss": "0.00104",
      "percentile": "0.01219"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46227\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:38.317\",\"lastModified\":\"2026-06-30T03:20:18.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL\\n\\nThe SCTP_SENDALL path in sctp_sendmsg() iterates ep-\u003easocs with\\nlist_for_each_entry_safe(), which caches the next entry in @tmp before\\nthe loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may\\ndrop the socket lock inside sctp_wait_for_sndbuf().\\n\\nWhile the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the\\nassociation cached in @tmp, migrating it to a new endpoint via\\nsctp_sock_migrate() (list_del_init() + list_add_tail() to\\nnewep-\u003easocs), and optionally close the new socket which frees the\\nassociation via kfree_rcu().  The cached @tmp can also be freed by a\\nnetwork ABORT for that association, processed in softirq while the\\nlock is dropped.\\n\\nsctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock\\nvia the \\\"sk != asoc-\u003ebase.sk\\\" and \\\"asoc-\u003ebase.dead\\\" checks, but nothing\\nrevalidates @tmp.  After a successful return, the iterator advances to\\nthe stale @tmp, yielding either a use-after-free (if the peeled socket\\nwas closed) or a list-walk onto the new endpoint\u0027s list head (type\\nconfusion of \u0026newep-\u003easocs as a struct sctp_association *).\\n\\nBoth are reachable from CapEff=0; the type-confusion path gives\\ncontrolled indirect call via the outqueue.sched-\u003einit_sid pointer.\\n\\nFix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()\\nreturns.  @asoc is known to still be on ep-\u003easocs at that point: the\\nonly callers that list_del an association from ep-\u003easocs are\\nsctp_association_free() (which sets asoc-\u003ebase.dead) and\\nsctp_assoc_migrate() (which changes asoc-\u003ebase.sk), and\\nsctp_wait_for_sndbuf() checks both under the lock before any\\nsuccessful return; a tripped check propagates as err \u003c 0 and the loop\\nbails before the re-derive.\\n\\nThe SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the\\nloop hits \u0027continue\u0027 before sctp_sendmsg_to_asoc() is ever called, so\\nthe @tmp cached by list_for_each_entry_safe() still covers the\\nlock-held free that ba59fb027307 (\\\"sctp: walk the list of asoc\\nsafely\\\") was added for.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/sctp/socket.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"f3a3f0b406b4b7eb3cea35a23fa2bf170848b104\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"0dbc8cde64280fc37cdd678cced34eaf96cfb197\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"0c7b55974f97b78d1109025eadf084e74cbf330f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"6187a172d6ed57d6b2c327836e4407c6456e639d\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"c9dadb31f36045a8cb65df4bd75e7237ef21a4b5\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"bf0f40d8107e2ce827521968dc6926f3e13728ae\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4910280503f3af2857d5aa77e35b22d93a8960a8\",\"lessThan\":\"abb5f36771cc4c05899b34000829a787572a8817\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/sctp/socket.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"4.17\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"4.17\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.258\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.209\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.175\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.140\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.90\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.32\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.9\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.9.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.2::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream E4S (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.4::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS AUS (v.8.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_aus:8.4::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_eus_long_life:8.4::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS E4S (v.8.8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_e4s:8.8::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS TUS (v.8.8)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_tus:8.8::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS E4S (v.9.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_e4s:9.2::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS E4S (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_e4s:9.4::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.2::nfv\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.4::nfv\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time E4S (v.9.2)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.2::realtime\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time E4S (v.9.4)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_e4s:9.4::realtime\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 6\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 7\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:7\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.17\",\"versionEndExcluding\":\"5.10.258\",\"matchCriteriaId\":\"CF9EFBB4-E004-479B-A237-DECC87FD4D0E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.209\",\"matchCriteriaId\":\"919C10A9-7951-4A74-BADD-C135A0A8D8B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.175\",\"matchCriteriaId\":\"92385813-D91D-480D-83A1-F423D2CBB2BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.140\",\"matchCriteriaId\":\"A1A92866-F406-43B5-B2D1-CFC274753E9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.90\",\"matchCriteriaId\":\"3BAAA2BE-6EEC-45D5-AD66-50F63CA20483\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.32\",\"matchCriteriaId\":\"CB9F1FA8-6D5E-42B1-9877-57BACFE5C886\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"7.0.9\",\"matchCriteriaId\":\"33ACA10B-B260-46EA-BD50-70EBE5097672\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B1EF7059-E670-45F4-B422-54C40FA86390\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D38F0BF-A728-4133-A358-D44A2F7EE6D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC732D08-5F7B-46D9-B154-E60C7F4F0A97\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c7b55974f97b78d1109025eadf084e74cbf330f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0dbc8cde64280fc37cdd678cced34eaf96cfb197\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1bfb06ecb00f7fdf35dba8e8f2877346cbe5e078\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6187a172d6ed57d6b2c327836e4407c6456e639d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abb5f36771cc4c05899b34000829a787572a8817\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bf0f40d8107e2ce827521968dc6926f3e13728ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c9dadb31f36045a8cb65df4bd75e7237ef21a4b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f3a3f0b406b4b7eb3cea35a23fa2bf170848b104\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26462\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26515\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26535\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:26563\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27731\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27735\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-46227\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2482564\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46227.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…