Linux Kernel SCTP Authentication Key Handling Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of SCTP (Stream Control Transmission Protocol) authentication keys. This issue arises because the active key is not properly updated when an error is returned from the function that initializes the active key. As a result, the old key is freed while still in use, leading to a use-after-free condition when packets are sent. This vulnerability was reported by syzbot.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by triggering an error in the SCTP authentication key initialization process. This can be done by manipulating the key management functions to return an error, which will cause the old key to be freed while still active in the association. Once the key is freed, the association can be used to send packets, triggering the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.