CVE-2026-43194 Overview
CVE-2026-43194 is a Linux kernel networking flaw in the TCP transmit path that causes connections to stall when Generic Segmentation Offload (GSO) frames experience partial transmit losses on devices without a queueing discipline (Qdisc). The kernel's tcp_write_xmit() function only inspects the return code from the last segment of a GSO super frame, so the loss of any single segment is incorrectly interpreted as the loss of the entire frame. This causes snd_nxt to lag the actual data sent, and subsequent acknowledgements from the receiver are rejected as TCP_ACK_UNSENT_DATA, freezing the connection.
Critical Impact
TCP connections over Qdisc-less devices such as veth can deadlock after segment drops, producing denial-of-service-like behavior in containerized and virtualized networking stacks.
Affected Products
- Linux kernel networking subsystem (TCP/GSO transmit path)
- Configurations using veth interfaces without a Qdisc (containers, network namespaces)
- Non-IP transports such as CAN and MCTP that bypass the Qdisc layer
Discovery Timeline
- 2026-05-06 - CVE-2026-43194 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43194
Vulnerability Analysis
The defect lives in the Linux TCP transmit logic where GSO super frames are handed to the device layer. When a driver such as veth drops a segment, it returns an error from ndo_start_xmit(). TCP receives only the return code of the final segment, so it cannot distinguish between "no segments sent" and "some segments sent."
If the last segment of a GSO frame is dropped while earlier segments are transmitted, tcp_write_xmit() treats the entire write as failed and does not advance snd_nxt. The peer, however, receives the successful segments and acknowledges sequence numbers beyond the sender's recorded snd_nxt. The sender then discards the ACK as referencing data it never sent, and retransmissions from the rtx queue fail to converge with the receiver's state. The connection stalls until the application times out or is killed.
Root Cause
The root cause is the ambiguous semantics of the ndo_start_xmit() return code combined with TCP's reliance on that code to update snd_nxt. The Qdisc layer normally hides driver-level errors from the protocol layer, but Qdisc-less paths expose the inconsistency. The protocol receives a single boolean-like return for an entire batch of segments, which is insufficient to represent partial success.
Attack Vector
An unprivileged local actor sharing a network namespace, or a workload able to induce drops on a veth link, can trigger the stall by causing intermittent segment loss during bursty TCP traffic. Container orchestration platforms that rely on veth pairs without Qdisc attachment are the most exposed environments. Remote exploitation requires the ability to induce loss patterns on a Qdisc-less interface, which is generally not reachable from the network. The vulnerability manifests as a reliability and availability issue rather than a memory corruption primitive. See the kernel commit fixing the issue for the patch details.
Detection Methods for CVE-2026-43194
Indicators of Compromise
- TCP connections that hang indefinitely with non-empty retransmit queues despite the peer acknowledging higher sequence numbers.
- Increasing TCPACKSkippedSeq or TCP_ACK_UNSENT_DATA counters in /proc/net/netstat on hosts using veth without a Qdisc.
- Test failures in udpgro_frglist.sh and udpgro_bench.sh from the kernel selftests, including 10-minute timeouts on TCP GRO subtests.
Detection Strategies
- Inspect packet captures on veth endpoints for ACKs that reference sequence numbers ahead of the sender's last observed transmission.
- Use ss -ti to identify sockets with stuck snd_nxt and large unacked segments while the peer continues to acknowledge new data.
- Correlate XDP program attachment on veth interfaces with sudden drops in TCP throughput across container workloads.
Monitoring Recommendations
- Monitor kernel netstat counters including TCPAbortOnTimeout and out-of-window ACK statistics for unexpected growth.
- Track per-interface drop counters on veth pairs and correlate with TCP retransmission spikes.
- Alert on long-lived TCP sessions inside container hosts where RTT or retransmit timers diverge sharply from baseline.
How to Mitigate CVE-2026-43194
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree commits, including 0c9de092, 4cb163e9, 56bd32c0, 7aa767d0, 9ac6aebe, ae3f627b, c86901d2, and ea5d7787.
- Rebuild and reboot affected hosts after patch deployment to ensure the corrected tcp_write_xmit() path is loaded.
- Audit container hosts and virtualization platforms for veth interfaces operating without an attached Qdisc.
Patch Information
The fix masks the return code from ndo_start_xmit() for GSO frames on Qdisc-less paths so that TCP no longer interprets a partial loss as a full loss. The relevant commits are tracked in the upstream stable tree, including 0c9de092, 4cb163e9, 56bd32c0, 7aa767d0, 9ac6aebe, ae3f627b, c86901d2, and ea5d7787.
Workarounds
- Attach a Qdisc such as fq_codel or pfifo_fast to veth interfaces so that the Qdisc layer absorbs driver errors before they reach TCP.
- Avoid configurations that disable TSO and force NAPI on veth pairs unless required for testing.
- Where feasible, route container traffic through bridges or interfaces that retain default Qdisc behavior until kernels are patched.
# Attach a default Qdisc to a veth interface as a temporary workaround
sudo tc qdisc add dev veth0 root fq_codel
# Verify the Qdisc is attached
tc qdisc show dev veth0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
