Description
In the Linux kernel, the following vulnerability has been resolved:

sctp: disable BH before calling udp_tunnel_xmit_skb()

udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with
BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to
tunnel xmit functions"), on the path:

udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit()

dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU.

Without local_bh_disable(), the context may move between CPUs, which can
break the inc/dec pairing. This may lead to incorrect recursion level
detection and cause packets to be dropped in ip(6)_tunnel_xmit() or
__dev_queue_xmit().

Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths.

In my testing, after enabling the SCTP over UDP:

# ip net exec ha sysctl -w net.sctp.udp_port=9899
# ip net exec ha sysctl -w net.sctp.encap_port=9899
# ip net exec hb sysctl -w net.sctp.udp_port=9899
# ip net exec hb sysctl -w net.sctp.encap_port=9899

# ip net exec ha iperf3 -s

- without this patch:

# ip net exec hb iperf3 -c 192.168.0.1 --sctp
[ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender
[ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver

- with this patch:

# ip net exec hb iperf3 -c 192.168.0.1 --sctp
[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender
[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s SCTP over UDP implementation relied on the use of bottom halves (BH) that were not properly disabled during packet transmission. Because the invocation of udp_tunnel_xmit_skb() (and its IPv6 counterpart) expected BH to be disabled, the lack of local_bh_disable caused the kernel to incorrectly adjust recursion counters when the execution context moved between CPUs. This mismatch could lead the kernel to believe it was already at the recursion limit and consequently drop packets in ip(6)_tunnel_xmit() or __dev The effect is loss of data packets, degradation of throughput, and, in high‑traffic scenarios, a measurable denial of service.

Affected Systems

All Linux kernel releases that contain the SCTP over UDP path prior to the inclusion of commit 6f1a9140ecda. The exact kernel series is not specified, so any distribution shipping an unpatched kernel before this commit is vulnerable. No specific product or beyond the Linux kernel vendor.

Risk and Exploitability

The issue is a race condition (CWE‑362) that can be triggered whenever SCTP over UDP is enabled and remote traffic is sent to the local node. An attacker could flood the node with SCTP traffic to force packet drops, effectively creating a local or remote denial of service. The CVSS and EPSS scores are not available, and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate but not known exploitation risk. Reducing the attack surface by disabling SCTP over UDP mitigates the problem, but the only definitive fix is to update the kernel to a version that includes the commit that disables BH around the SCTP UDP transmit paths.

Generated by OpenCVE AI on June 24, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a Linux 6f1a9140ecda or a later release that incorporates the fix.
  • Disable SCTP over UDP if not required by setting the sysctl parameters net.sctp.udp_port=0 and net.sctp.encap_port=0.
  • As a temporary measure, block or rate‑limit SCTP traffic you do not trust using firewall rules or network segmentation to prevent excessive packet drops.

Generated by OpenCVE AI on June 24, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: sctp: disable BH before calling udp_tunnel_xmit_skb() udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path: udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit() dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU. Without local_bh_disable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)_tunnel_xmit() or __dev_queue_xmit(). Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths. In my testing, after enabling the SCTP over UDP: # ip net exec ha sysctl -w net.sctp.udp_port=9899 # ip net exec ha sysctl -w net.sctp.encap_port=9899 # ip net exec hb sysctl -w net.sctp.udp_port=9899 # ip net exec hb sysctl -w net.sctp.encap_port=9899 # ip net exec ha iperf3 -s - without this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver - with this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver
Title sctp: disable BH before calling udp_tunnel_xmit_skb()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:11.816Z

Reserved: 2026-06-09T07:44:35.382Z

Link: CVE-2026-53070

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T01:30:15Z

Weaknesses

No weakness.