{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53070", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-06-09T07:44:35.382Z", "datePublished": "2026-06-24T16:30:11.816Z", "dateUpdated": "2026-06-28T06:38:54.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-28T06:38:54.908Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: disable BH before calling udp_tunnel_xmit_skb()\n\nudp_tunnel_xmit_skb() / udp_tunnel6_xmit_skb() are expected to run with\nBH disabled. After commit 6f1a9140ecda (\"add xmit recursion limit to\ntunnel xmit functions\"), on the path:\n\n udp(6)_tunnel_xmit_skb() -> ip(6)tunnel_xmit()\n\ndev_xmit_recursion_inc()/dec() must stay balanced on the same CPU.\n\nWithout local_bh_disable(), the context may move between CPUs, which can\nbreak the inc/dec pairing. This may lead to incorrect recursion level\ndetection and cause packets to be dropped in ip(6)_tunnel_xmit() or\n__dev_queue_xmit().\n\nFix it by disabling BH around both IPv4 and IPv6 SCTP UDP xmit paths.\n\nIn my testing, after enabling the SCTP over UDP:\n\n # ip net exec ha sysctl -w net.sctp.udp_port=9899\n # ip net exec ha sysctl -w net.sctp.encap_port=9899\n # ip net exec hb sysctl -w net.sctp.udp_port=9899\n # ip net exec hb sysctl -w net.sctp.encap_port=9899\n\n # ip net exec ha iperf3 -s\n\n- without this patch:\n\n # ip net exec hb iperf3 -c 192.168.0.1 --sctp\n [ 5] 0.00-10.00 sec 37.2 MBytes 31.2 Mbits/sec sender\n [ 5] 0.00-10.00 sec 37.1 MBytes 31.1 Mbits/sec receiver\n\n- with this patch:\n\n # ip net exec hb iperf3 -c 192.168.0.1 --sctp\n [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec sender\n [ 5] 0.00-10.00 sec 3.14 GBytes 2.69 Gbits/sec receiver"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sctp/ipv6.c", "net/sctp/protocol.c"], "versions": [{"version": "046c052b475e7119b6a30e3483e2888fc606a2f8", "lessThan": "0de7db2eb27e82b983157016fa604b1ba664ae5f", "status": "affected", "versionType": "git"}, {"version": "046c052b475e7119b6a30e3483e2888fc606a2f8", "lessThan": "790093245e35040c2adb15f48970020425aa3f47", "status": "affected", "versionType": "git"}, {"version": "046c052b475e7119b6a30e3483e2888fc606a2f8", "lessThan": "2cd7e6971fc2787408ceef17906ea152791448cf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sctp/ipv6.c", "net/sctp/protocol.c"], "versions": [{"version": "5.11", "status": "affected"}, {"version": "0", "lessThan": "5.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.37", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.10", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.18.37"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "7.0.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "7.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0de7db2eb27e82b983157016fa604b1ba664ae5f"}, {"url": "https://git.kernel.org/stable/c/790093245e35040c2adb15f48970020425aa3f47"}, {"url": "https://git.kernel.org/stable/c/2cd7e6971fc2787408ceef17906ea152791448cf"}], "title": "sctp: disable BH before calling udp_tunnel_xmit_skb()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{}

{"bugzilla": {"description": "kernel: sctp: disable BH before calling udp_tunnel_xmit_skb()", "id": "2492347", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492347"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-821", "details": ["A flaw was found in the Linux kernel's Stream Control Transmission Protocol (SCTP) over User Datagram Protocol (UDP) implementation. An issue with managing the transmission context across different processing units could lead to incorrect recursion level detection. This can cause network packets to be dropped, resulting in a Denial of Service (DoS) for affected systems."], "name": "CVE-2026-53070", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-53070\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-53070\nhttps://lore.kernel.org/linux-cve-announce/2026062404-CVE-2026-53070-0031@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[046c052b475e7119b6a30e3483e2888fc606a2f8,790093245e35040c2adb15f48970020425aa3f47)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[046c052b475e7119b6a30e3483e2888fc606a2f8,2cd7e6971fc2787408ceef17906ea152791448cf)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.10,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-06-24T19:30:08.641300+00:00", "updated": "2026-06-28T14:30:07.139937+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}