Critical Heap Corruption Flaw Discovered in illumos SCTP Stack
A critical vulnerability in the illumos SCTP inbound path allows unauthenticated remote attackers to trigger kernel heap corruption and potential code execution.
A critical security vulnerability, tracked as CVE-2026-15422, has been identified in the illumos SCTP inbound path. The issue stems from inadequate validation of address parameters during association lookup for INIT ACK chunks. Because this process occurs during packet classification, it bypasses standard SCTP integrity checks and IPsec policies.
An unauthenticated remote attacker can exploit this flaw by sending a crafted SCTP INIT ACK packet containing malformed address parameters. This action triggers an out-of-bounds access, resulting in kernel heap corruption that may lead to remote code execution. The vulnerability has been present in the codebase since 2010.
This flaw affects all illumos distributions released prior to the application of the fix in illumos-gate commit 53a3efde. Administrators are strongly advised to update their systems to a version that includes the necessary security patch to mitigate the risk of exploitation.
Continue Reading
Formalizing the Vulnerability Lifecycle
International agencies are pushing software vendors to adopt standardized vulnerability disclosure frameworks for better security.
WireGuard Easy Vulnerability Allows Unauthorized Credential Recovery
A critical flaw in WireGuard Easy allows unauthenticated attackers to brute-force weak tokens and hijack VPN peer credentials.
CISA Adds Fortinet FortiSandbox Command Injection Flaw to KEV Catalog
CISA has confirmed active exploitation of a command injection vulnerability in Fortinet FortiSandbox, mandating urgent remediation for federal agencies.