CVE-2026-53070
Received Received - Intake
Memory Corruption in Linux Kernel SCTP UDP Encapsulation

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sctp: disable BH before calling udp_tunnel_xmit_skb() udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path: udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit() dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU. Without local_bh_disable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)_tunnel_xmit() or __dev_queue_xmit(). Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths. In my testing, after enabling the SCTP over UDP: # ip net exec ha sysctl -w net.sctp.udp_port=9899 # ip net exec ha sysctl -w net.sctp.encap_port=9899 # ip net exec hb sysctl -w net.sctp.udp_port=9899 # ip net exec hb sysctl -w net.sctp.encap_port=9899 # ip net exec ha iperf3 -s - without this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver - with this patch: # ip net exec hb iperf3 -c 192.168.0.1 --sctp [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53070
EUVD
EUVD-2026-38938
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) over UDP implementation. The issue arises because the functions udp_tunnel_xmit_skb() and udp_tunnel6_xmit_skb() are expected to run with bottom halves (BH) disabled. After a certain commit, the recursion increment and decrement functions (dev_xmit_recursion_inc()/dec()) must be balanced on the same CPU. Without disabling BH, the execution context can move between CPUs, breaking this balance.

This imbalance can cause incorrect recursion level detection, leading to packet drops in ip(6)_tunnel_xmit() or __dev_queue_xmit(). The fix involves disabling BH around both IPv4 and IPv6 SCTP UDP transmit paths to maintain proper recursion tracking and prevent packet loss.

Impact Analysis

The vulnerability can cause packets to be dropped during SCTP over UDP transmission due to incorrect recursion level detection. This results in degraded network performance and reduced throughput.

For example, testing showed that without the patch, SCTP over UDP throughput was significantly lower (around 31.2 Mbits/sec), whereas with the patch, throughput improved drastically (up to 2.69 Gbits/sec). Therefore, the impact is primarily on network reliability and performance when using SCTP over UDP.

Detection Guidance

This vulnerability can be detected by testing SCTP over UDP performance on your system using iperf3 with SCTP enabled. The provided example shows how to enable SCTP over UDP ports and run iperf3 tests to observe performance differences indicating the presence of the vulnerability.

  • Enable SCTP over UDP ports using sysctl commands:
  • # ip net exec ha sysctl -w net.sctp.udp_port=9899
  • # ip net exec ha sysctl -w net.sctp.encap_port=9899
  • # ip net exec hb sysctl -w net.sctp.udp_port=9899
  • # ip net exec hb sysctl -w net.sctp.encap_port=9899
  • Run iperf3 server on one host:
  • # ip net exec ha iperf3 -s
  • Run iperf3 client with SCTP on the other host and observe throughput:
  • # ip net exec hb iperf3 -c 192.168.0.1 --sctp

Without the patch, throughput is significantly lower (around 31 Mbits/sec), while with the patch, throughput improves drastically (around 2.69 Gbits/sec), indicating whether the vulnerability is present.

Mitigation Strategies

The vulnerability is fixed by disabling bottom halves (BH) around both IPv4 and IPv6 SCTP UDP transmit paths in the Linux kernel. Therefore, the immediate mitigation step is to apply the patch that includes this fix to your Linux kernel.

Until the patch is applied, you may experience packet drops and degraded SCTP over UDP performance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart