Description

In the Linux kernel, the following vulnerability has been resolved: sctp: stream: fully roll back denied add-stream state When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and then lowers outcnt. That leaves removed stream metadata behind, so a later re-add can reuse a stale ext and hit a null-pointer dereference in the scheduler get path. Fix the rollback by tearing down the removed stream state the same way other stream resizes do. Unschedule the current scheduler state, drop the removed stream ext state with sctp_stream_outq_migrate(), and then reschedule the remaining streams. This keeps scheduler-private RR/FC/PRIO lists consistent while fully rolling back denied outgoing stream additions.

Affected products

VendorProductVersions
LinuxLinux637784ade221a3c8a7ecd0f583eddd95d6276b9a to <0cd2dc6dce8ca47212cd306ccd52eb315ef3cf85; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <a6724b7b812ac8793514a1d5938db5d9d29ae725; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <9662eb0401518f0b4681f10e7fbf688f504f24cf; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <7dd9a42b044aad2dbe037db1c1e2943582485b44; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <39dc2b0eb5371a669ebc9ec6072b9184eac95418; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <d5ea0b3e261fcb2cfff142675516165244cab1da; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <1c6773b8c081509dcd5cd2954f2b02c50c00f151; 637784ade221a3c8a7ecd0f583eddd95d6276b9a to <a5f8a90ac9f77c678a9781c0a464b635e0d63e49
LinuxLinux4.15; 0 to <4.15; 5.10.259 to <=5.10.*; 5.15.210 to <=5.15.*; 6.1.176 to <=6.1.*; 6.6.143 to <=6.6.*; 6.12.94 to <=6.12.*; 6.18.36 to <=6.18.*; 7.0.13 to <=7.0.*; 7.1 to <=*

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 24 Jun 2026 09:35 UTC.