{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-12T10:51:52.173","vulnerabilities":[{"cve":{"id":"CVE-2021-46999","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-02-28T09:15:38.130","lastModified":"2025-01-08T17:36:29.443","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: do asoc update earlier in sctp_sf_do_dupcook_a\n\nThere's a panic that occurs in a few of envs, the call trace is as below:\n\n  [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI\n  [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]\n  []  sctp_assoc_control_transport+0x1b9/0x210 [sctp]\n  []  sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]\n  []  sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]\n  []  sctp_do_sm+0xc3/0x2a0 [sctp]\n  []  sctp_generate_timeout_event+0x81/0xf0 [sctp]\n\nThis is caused by a transport use-after-free issue. When processing a\nduplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK\nand SHUTDOWN chunks are allocated with the transort from the new asoc.\nHowever, later in the sideeffect machine, the old asoc is used to send\nthem out and old asoc's shutdown_last_sent_to is set to the transport\nthat SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually\nbelongs to the new asoc. After the new_asoc is freed and the old asoc\nT2 timeout, the old asoc's shutdown_last_sent_to that is already freed\nwould be accessed in sctp_sf_t2_timer_expire().\n\nThanks Alexander and Jere for helping dig into this issue.\n\nTo fix it, this patch is to do the asoc update first, then allocate\nthe COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This\nwould make more sense, as a chunk from an asoc shouldn't be sent out\nwith another asoc. We had fixed quite a few issues caused by this."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sctp: haga una actualización anterior en sctp_sf_do_dupcook_a Hay un pánico que ocurre en algunos de los entornos, el seguimiento de la llamada es el siguiente: [] falla de protección general, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra. 21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] Esto se debe a un problema de use-after-free del transporte. Al procesar un fragmento COOKIE-ECHO duplicado en sctp_sf_do_dupcook_a(), tanto los fragmentos COOKIE-ACK como SHUTDOWN se asignan con el transort del nuevo asoc. Sin embargo, más adelante en la máquina de efectos secundarios, el antiguo asoc se utiliza para enviarlos y el Shutdown_last_sent_to del antiguo asoc se configura en el transporte al que se adjuntó el fragmento SHUTDOWN en sctp_cmd_setup_t2(), que en realidad pertenece al nuevo asoc. Después de que se libera el new_asoc y se agota el tiempo de espera T2 del antiguo asoc, se accederá al Shutdown_last_sent_to del antiguo asoc que ya está liberado en sctp_sf_t2_timer_expire(). Gracias Alexander y Jere por ayudarnos a profundizar en este problema. Para solucionarlo, este parche consiste en realizar primero la actualización de asoc y luego asignar los fragmentos COOKIE-ACK y SHUTDOWN con el antiguo asoc 'actualizado'. Esto tendría más sentido, ya que un fragmento de una asoc no debería enviarse con otra asoc. Hemos solucionado bastantes problemas causados por esto."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.123","versionEndExcluding":"4.19.191","matchCriteriaId":"D20BDA16-5AB8-4904-BD6D-95AA2838AC18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.41","versionEndExcluding":"5.4.120","matchCriteriaId":"D251349F-754D-42A1-9056-739E6B415320"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.10.38","matchCriteriaId":"4EC70BEE-8480-4726-B12A-17BED681CD70"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.11.22","matchCriteriaId":"83B53E9A-F426-4C03-9A5F-A931FF79827E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.12","versionEndExcluding":"5.12.5","matchCriteriaId":"0274929A-B36C-4F4C-AB22-30A0DD6B995B"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/0bfd913c2121b3d553bfd52810fe6061d542d625","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/35b4f24415c854cd718ccdf38dbea6297f010aae","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/61b877bad9bb0d82b7d8841be50872557090a704","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/b1b31948c0af44628e43353828453461bb74098f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d624f2991b977821375fbd56c91b0c91d456a697","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f01988ecf3654f805282dce2d3bb9afe68d2691e","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}