Buffer Access with Incorrect Length Value Affecting rv package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS10-RV-17517390
- published26 Jun 2026
- disclosed25 Jun 2026
Introduced: 25 Jun 2026
NewCVE-2026-53224 (opens in a new tab)How to fix?
There is no fixed version for Centos:10 rv.
NVD Description
Note: Versions mentioned in the description apply only to the upstream rv package and not the rv package as distributed by Centos.
See How to fix? for Centos:10 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
sctp: validate embedded INIT chunk and address list lengths in cookie
sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header.
A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads.
In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.
Fix this by:
- requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk);
- validating that the INIT chunk and raw address list together fit within the cookie payload;
- verifying sufficient data exists for each address parameter header and payload before parsing it.
Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2492769
- https://access.redhat.com/security/cve/CVE-2026-53224
- https://git.kernel.org/stable/c/512a9bb77c04ac9927648ea58af617e472be96e6
- https://git.kernel.org/stable/c/6f4c80a2a7e6d06753b89a578b710a2499a5e62b
- https://git.kernel.org/stable/c/7560afb8cddafd829e709d7ea09230e45a825557