CVE-2026-15422 in illumosinfo

Summary

by MITRE • 07/16/2026

The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability resides in the SCTP implementation of illumos operating systems, specifically within the inbound packet processing path for INIT ACK chunks. The flaw represents a critical security issue that allows remote code execution through improper validation of address parameters during association lookup. The vulnerability exists in the packet classification phase where SCTP performs association lookups before applying integrity checks or IPsec policies, creating an exploitable window where malformed address parameters can trigger memory corruption.

The technical implementation of this flaw stems from inadequate input validation within the SCTP protocol stack's initialization process. When processing INIT ACK chunks, the system fails to properly validate the address parameters contained within these packets before performing association lookups. This validation gap occurs during the early stages of packet handling, prior to any security mechanisms such as SCTP integrity protection or IPsec policy enforcement being applied. The vulnerability specifically targets the kernel heap management during outbound packet processing, where malformed address fields can cause out-of-bounds memory access patterns that corrupt kernel memory structures.

The operational impact of this vulnerability extends beyond simple denial of service scenarios to encompass full remote code execution capabilities. Attackers can craft specially formatted SCTP INIT ACK packets with malformed address parameters to trigger the vulnerable code path. The heap corruption resulting from these malformed inputs can be leveraged to execute arbitrary code within the kernel context, potentially allowing attackers to gain complete system control. This vulnerability affects all illumos distributions released prior to commit 53a3efde, with the flaw having remained unpatched since 2010 according to the illumos-gate repository history.

The security implications align with CWE-125 Out-of-bounds Read and CWE-787 Out-of-bounds Write categories, as the vulnerability involves accessing memory outside of allocated buffers during kernel heap operations. From an ATT&CK framework perspective, this represents a privilege escalation technique through kernel exploitation, specifically targeting the operating system's network stack implementation. The attack vector requires only network access to send malicious SCTP packets, making it particularly dangerous in environments where SCTP is enabled and accessible to untrusted networks. The long-standing nature of this vulnerability demonstrates the critical importance of thorough input validation in kernel-level code processing.

Mitigation strategies should include immediate patching of affected illumos systems to commit 53a3efde or equivalent security updates that address the association lookup validation. Network administrators should consider disabling SCTP protocol support if not actively required, particularly in environments where untrusted network access exists. Implementing proper firewall rules to restrict SCTP traffic and monitoring for unusual SCTP packet patterns can provide additional defensive layers. The vulnerability highlights the necessity of comprehensive input validation in kernel-space operations and demonstrates how seemingly minor implementation flaws can result in severe privilege escalation capabilities across operating system distributions that have not received timely security updates.

Responsible

Illumos

Reservation

07/10/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!