PT-2026-51964 · Linux · Linux
Published
2026-06-24
·
Updated
2026-06-24
·
CVE-2026-53070
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
sctp: disable BH before calling udp tunnel xmit skb()
udp tunnel xmit skb() / udp tunnel6 xmit skb() are expected to run with
BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to
tunnel xmit functions"), on the path:
udp(6) tunnel xmit skb() -> ip(6)tunnel xmit()
dev xmit recursion inc()/dec() must stay balanced on the same CPU.
Without local bh disable(), the context may move between CPUs, which can
break the inc/dec pairing. This may lead to incorrect recursion level
detection and cause packets to be dropped in ip(6) tunnel xmit() or
dev queue xmit().
Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths.
In my testing, after enabling the SCTP over UDP:
ip net exec ha sysctl -w net.sctp.udp port=9899
ip net exec ha sysctl -w net.sctp.encap port=9899
ip net exec hb sysctl -w net.sctp.udp port=9899
ip net exec hb sysctl -w net.sctp.encap port=9899
ip net exec ha iperf3 -s
- without this patch:
ip net exec hb iperf3 -c 192.168.0.1 --sctp
[ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender
[ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver
- with this patch:
ip net exec hb iperf3 -c 192.168.0.1 --sctp
[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender
[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux