CVE-2026-46273 Overview
CVE-2026-46273 is a denial-of-service vulnerability in the Linux kernel's ibmveth driver, which supports IBM Power systems virtual Ethernet adapters. Some physical adapters on Power systems do not support segmentation offload when the Maximum Segment Size (MSS) is less than 224 bytes. Attempting to transmit such packets causes the adapter to freeze, halting all network traffic until the device is manually reset. The issue triggers when hardware attempts segmentation (gso_segs > 1) with a small MSS value, exercising a problematic Large Send Offload (LSO) code path.
Critical Impact
A local user able to influence transmitted packet MSS values can freeze the physical network adapter, resulting in a sustained denial of service that requires manual intervention to recover.
Affected Products
- Linux kernel ibmveth virtual Ethernet driver on IBM Power systems
- Systems using affected physical adapters in Shared Ethernet Adapter (SEA) configurations
- Configurations involving VLAN and QinQ (802.1ad) traffic where the hardware parser lacks offload support
Discovery Timeline
- 2026-06-03 - CVE-2026-46273 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46273
Vulnerability Analysis
The ibmveth driver passes Generic Segmentation Offload (GSO) packets to the hardware for segmentation without validating whether the MSS falls within the adapter's supported range. When the MSS is below 224 bytes and the packet contains more than one segment (gso_segs > 1), the physical adapter enters a frozen state. All transmission ceases on the affected interface until the adapter is reset out of band. Single-segment GSO packets (gso_segs == 1) bypass the problematic LSO path and transmit normally.
The fix introduces an ndo_features_check callback that disables GSO when MSS is below 224 bytes, forcing the network stack to perform software segmentation instead. The callback also invokes vlan_features_check() to handle VLAN and QinQ (802.1ad) packets correctly, since the hardware parser may not support certain offload features for stacked VLAN tags.
Root Cause
The driver lacked sanity checks on outbound GSO packet MSS values before handing them to the hardware. The 224-byte minimum matches the threshold previously established for ibmvnic in commit f10b09ef687f ("ibmvnic: Enforce stronger sanity checks on GSO packets"), which targets the same physical adapters used in SEA configurations.
Attack Vector
An attacker with the ability to set or influence the MSS of transmitted TCP packets can trigger the condition. The vulnerability was validated using iptables to force small MSS values, after which the adapter froze. The exploitation path requires local control over packet generation parameters or upstream influence on path MTU and MSS negotiation reaching the affected interface.
No public exploit code is associated with this issue. Refer to the upstream kernel commits linked in the references for the full technical fix.
Detection Methods for CVE-2026-46273
Indicators of Compromise
- Sudden loss of network connectivity on Power systems using ibmveth interfaces, with no link-state change events in kernel logs
- Stalled TCP transmission queues on the affected interface accompanied by manual reset requirements to restore traffic
- Presence of traffic with TCP MSS values below 224 bytes immediately preceding the adapter freeze
Detection Strategies
- Monitor kernel logs for ibmveth transmit errors, watchdog timeouts, or TX queue stalls on Power systems
- Inspect outbound traffic flows for unusually small MSS values that could trigger the LSO path on vulnerable kernels
- Correlate interface reset events with preceding traffic patterns to identify suspected triggers
Monitoring Recommendations
- Track installed kernel versions across IBM Power fleets and flag hosts without the upstream ibmvethndo_features_check fix
- Alert on iptables or nftables rule changes that clamp MSS to values below 224 bytes on production interfaces
- Watch for repeated link or queue resets on virtual Ethernet adapters as a signal of recurring exploitation attempts
How to Mitigate CVE-2026-46273
Immediate Actions Required
- Apply the upstream Linux kernel patches that introduce the ndo_features_check callback in the ibmveth driver
- Inventory all IBM Power systems running ibmveth and prioritize patching hosts exposed to untrusted tenants or workloads
- Restrict the ability of unprivileged users and containers to modify firewall rules that clamp TCP MSS values
Patch Information
The fix is available in multiple stable Linux kernel branches. Relevant commits include Linux Kernel Commit 1cdf5db, Linux Kernel Commit 3af24f0, Linux Kernel Commit 82bc89f, Linux Kernel Commit 86fc645, Linux Kernel Commit 9a5e984, Linux Kernel Commit c1f2618, Linux Kernel Commit cc427d2, and Linux Kernel Commit db8012c. Coordinate with your Linux distribution vendor for backported packages.
Workarounds
- Disable TSO and GSO on affected ibmveth interfaces using ethtool -K <iface> tso off gso off until the patch is applied
- Remove or audit iptables and nftables rules that clamp TCP MSS to values below 224 bytes
- Constrain administrative network configuration privileges to trusted operators on multi-tenant Power hosts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
