Skip to main content

Linux Kernel CVE-2026-53070

| EUVDEUVD-2026-38938 HIGH
2026-06-24 Linux GHSA-q4jf-gp35-367g
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
2.5 LOW

Requires non-default SCTP-over-UDP config (PR:L) and race-dependent CPU migration (AC:H); impact is degraded throughput on the local host (AV:L, A:L), with no confidentiality or integrity effect.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:02 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.5 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.5
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

sctp: disable BH before calling udp_tunnel_xmit_skb()

udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path:

udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit()

dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU.

Without local_bh_disable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)_tunnel_xmit() or __dev_queue_xmit().

Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths.

In my testing, after enabling the SCTP over UDP:

ip net exec ha sysctl -w net.sctp.udp_port=9899

ip net exec ha sysctl -w net.sctp.encap_port=9899

ip net exec hb sysctl -w net.sctp.udp_port=9899

ip net exec hb sysctl -w net.sctp.encap_port=9899

ip net exec ha iperf3 -s

  • without this patch:

ip net exec hb iperf3 -c 192.168.0.1 --sctp

[ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver

  • with this patch:

ip net exec hb iperf3 -c 192.168.0.1 --sctp

[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver

AnalysisAI

Denial-of-service (packet drops and severe throughput degradation) affects the Linux kernel SCTP-over-UDP encapsulation path, where udp_tunnel_xmit_skb()/udp_tunnel6_xmit_skb() were called without disabling bottom halves. After the xmit recursion-limit change (commit 6f1a9140ecda), the unbalanced per-CPU dev_xmit_recursion_inc/dec pairing can misdetect recursion and drop packets in ip(6)_tunnel_xmit() or __dev_queue_xmit(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host configured with SCTP-over-UDP encap
Delivery
SCTP traffic enters udp_tunnel_xmit path
Exploit
BH not disabled, context migrates CPUs
Execution
Recursion counter inc/dec unbalanced
Persist
False recursion-limit detection
Impact
Packets dropped, throughput collapses (DoS)

Vulnerability AssessmentAI

Exploitation Requires the target Linux host to have SCTP-over-UDP encapsulation explicitly enabled - specifically sysctls net.sctp.udp_port and net.sctp.encap_port configured (non-default) and active SCTP traffic flowing through the UDP tunnel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward low real-world urgency despite the 7.5 'High' base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a host configured for SCTP-over-UDP (net.sctp.udp_port and net.sctp.encap_port set), normal SCTP traffic transmitted through the UDP tunnel triggers CPU migration that unbalances the per-CPU recursion counter, causing the kernel to falsely detect transmit recursion and drop the packets. The observable result is a denial of service in the form of collapsed SCTP throughput (demonstrated as ~31 Mbit/s instead of ~2.69 Gbit/s) and intermittent loss. …
Remediation Apply the upstream kernel fix that wraps both the IPv4 and IPv6 SCTP UDP transmit paths in local_bh_disable()/local_bh_enable(); it is available in the stable trees as commits 790093245e35040c2adb15f48970020425aa3f47 and 2cd7e6971fc2787408ceef17906ea152791448cf (https://git.kernel.org/stable/c/790093245e35040c2adb15f48970020425aa3f47 and https://git.kernel.org/stable/c/2cd7e6971fc2787408ceef17906ea152791448cf; see also https://git.kernel.org/stable/c/0de7db2eb27e82b983157016fa604b1ba664ae5f), corresponding to fixed releases noted as 7.0.10 and 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify systems using SCTP-over-UDP network tunneling in your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy