Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Requires non-default SCTP-over-UDP config (PR:L) and race-dependent CPU migration (AC:H); impact is degraded throughput on the local host (AV:L, A:L), with no confidentiality or integrity effect.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
sctp: disable BH before calling udp_tunnel_xmit_skb()
udp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path:
udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit()
dev_xmit_recursion_inc()/dec() must stay balanced on the same CPU.
Without local_bh_disable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)_tunnel_xmit() or __dev_queue_xmit().
Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths.
In my testing, after enabling the SCTP over UDP:
ip net exec ha sysctl -w net.sctp.udp_port=9899
ip net exec ha sysctl -w net.sctp.encap_port=9899
ip net exec hb sysctl -w net.sctp.udp_port=9899
ip net exec hb sysctl -w net.sctp.encap_port=9899
ip net exec ha iperf3 -s
- without this patch:
ip net exec hb iperf3 -c 192.168.0.1 --sctp
[ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver
- with this patch:
ip net exec hb iperf3 -c 192.168.0.1 --sctp
[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver
AnalysisAI
Denial-of-service (packet drops and severe throughput degradation) affects the Linux kernel SCTP-over-UDP encapsulation path, where udp_tunnel_xmit_skb()/udp_tunnel6_xmit_skb() were called without disabling bottom halves. After the xmit recursion-limit change (commit 6f1a9140ecda), the unbalanced per-CPU dev_xmit_recursion_inc/dec pairing can misdetect recursion and drop packets in ip(6)_tunnel_xmit() or __dev_queue_xmit(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target Linux host to have SCTP-over-UDP encapsulation explicitly enabled - specifically sysctls net.sctp.udp_port and net.sctp.encap_port configured (non-default) and active SCTP traffic flowing through the UDP tunnel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent toward low real-world urgency despite the 7.5 'High' base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host configured for SCTP-over-UDP (net.sctp.udp_port and net.sctp.encap_port set), normal SCTP traffic transmitted through the UDP tunnel triggers CPU migration that unbalances the per-CPU recursion counter, causing the kernel to falsely detect transmit recursion and drop the packets. The observable result is a denial of service in the form of collapsed SCTP throughput (demonstrated as ~31 Mbit/s instead of ~2.69 Gbit/s) and intermittent loss. … |
| Remediation | Apply the upstream kernel fix that wraps both the IPv4 and IPv6 SCTP UDP transmit paths in local_bh_disable()/local_bh_enable(); it is available in the stable trees as commits 790093245e35040c2adb15f48970020425aa3f47 and 2cd7e6971fc2787408ceef17906ea152791448cf (https://git.kernel.org/stable/c/790093245e35040c2adb15f48970020425aa3f47 and https://git.kernel.org/stable/c/2cd7e6971fc2787408ceef17906ea152791448cf; see also https://git.kernel.org/stable/c/0de7db2eb27e82b983157016fa604b1ba664ae5f), corresponding to fixed releases noted as 7.0.10 and 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify systems using SCTP-over-UDP network tunneling in your infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38938
GHSA-q4jf-gp35-367g