Software-Defined Networking (SDN) enables network inno- vations with a centralized controller controlling the whole network through the control channel. Because the control channel delivers all network control traffic, its security and reliability are of great importance. For the first time in the literature, we propose the CrossPath attack that disrupts the SDN control channel by exploiting the shared links in paths of control traffic and data traffic. In this attack, crafted data traffic can implicitly disrupt the forwarding of control traffic in the shared links. As the data traffic does not enter the con- trol channel, the attack is stealthy and cannot be easily per- ceived by the controller. In order to identify the target paths containing the shared links to attack, we develop a novel technique called adversarial path reconnaissance. Both the- oretic analysis and experimental results demonstrate its fea- sibility and efficiency of identifying the target paths. We systematically study the impacts of the attack on various net- work applications in a real SDN testbed. Experiments show the attack significantly degrades the performance of exist- ing network applications and causes serious network anoma- lies, e.g., routing blackhole, flow table resetting, and even network-wide DoS.