In the Linux kernel, the following vulnerability has been resolved:
sctp: disable BH before calling udptunnelxmit_skb()
udptunnelxmitskb() / udptunnel6xmitskb() are expected to run with BH disabled. After commit 6f1a9140ecda ("add xmit recursion limit to tunnel xmit functions"), on the path:
udp(6)tunnelxmitskb() -> ip(6)tunnelxmit()
devxmitrecursion_inc()/dec() must stay balanced on the same CPU.
Without localbhdisable(), the context may move between CPUs, which can break the inc/dec pairing. This may lead to incorrect recursion level detection and cause packets to be dropped in ip(6)tunnelxmit() or __devqueuexmit().
Fix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths.
In my testing, after enabling the SCTP over UDP:
# ip net exec ha sysctl -w net.sctp.udpport=9899 # ip net exec ha sysctl -w net.sctp.encapport=9899 # ip net exec hb sysctl -w net.sctp.udpport=9899 # ip net exec hb sysctl -w net.sctp.encapport=9899
# ip net exec ha iperf3 -s
without this patch:
[ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver
with this patch:
[ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53070.json"
}