Use-after-free / type confusion in Linux kernel SCTP SCTP_SENDALL path
CVE-2026-46227 is a flaw in the Linux kernel SCTP implementation, specifically in the SCTP_SENDALL path of sctp_sendmsg(). The code iterates endpoint associations in ep->asocs using list_for_each_entry_safe(), which caches the next list element in a temporary cursor before the loop body executes. During iteration, sctp_sendmsg_to_asoc() can drop the socket lock inside sctp_wait_for_sndbuf(). While that lock is released, another thread can peel off the cached next association via SCTP_SOCKOPT_PEELOFF, causing sctp_sock_migrate() to remove it from the current endpoint list and attach it to a new endpoint list, and the migrated association may then be freed if the new socket is closed. The cached next pointer may also be freed by a network ABORT processed in softirq while the lock is dropped. Although the current association is revalidated after relocking using checks on asoc->base.sk and asoc->base.dead, the cached next cursor was not revalidated. As a result, iteration can advance to a stale pointer, causing either a use-after-free or a walk onto a different endpoint's list head, producing type confusion by treating &newep->asocs as a struct sctp_association *. The upstream fix re-derives the next iterator cursor from the current association after sctp_sendmsg_to_asoc() returns.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux kernel vulnerability in ibmveth GSO handling for packets with small MSS.
A Linux kernel vulnerability in SCTP involving list cursor revalidation after sctp_sendmsg_to_asoc() in SCTP_SENDALL handling.
A Linux kernel SCTP vulnerability in the SCTP_SENDALL path where a stale list iterator can be used after the socket lock is dropped, leading to a reachable use-after-free or type confusion with potential controlled indirect call.
Linux kernel vulnerability in SCTP send-all handling due to failure to revalidate the list cursor after sctp_sendmsg_to_asoc().
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.