CVE-2026-46273: Linux ibmveth Adapter Freeze with Small Packet Segments
A flaw in the Linux kernel's ibmveth driver can cause certain Power system network adapters to freeze when handling segmented network traffic with unusually small packet sizes. The adapter lockup stops all network traffic until manual intervention, creating a denial-of-service condition. The issue occurs only when the adapter's hardware segmentation feature (GSO) encounters packets smaller than 224 bytes that require splitting into multiple segments. The fix implements a software-based workaround that performs segmentation on the system side instead of relying on the hardware, preventing the adapter freeze.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset. Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead. The 224-byte minimum matches ibmvnic commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks on GSO packets") which uses the same physical adapters in SEA configurations. The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation. Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features. Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46273 addresses a hardware limitation in IBM POWER system network adapters (ibmveth) that manifests when Generic Segmentation Offload (GSO) is applied to packets with a Maximum Segment Size (MSS) below 224 bytes. The physical adapter's Large Segmentation Offload (LSO) implementation cannot process such small segments correctly, resulting in adapter failure. The vulnerability is resolved by adding an ndo_features_check callback to the ibmveth driver that disables GSO for packets meeting the problematic criteria (MSS < 224 bytes, gso_segs > 1). Single-segment packets bypass the LSO code path and are unaffected. The fix also integrates vlan_features_check() to handle VLAN and QinQ configurations properly, ensuring offload features align with hardware capabilities across different packet encapsulation scenarios.
Business impact
Organizations running Power-based Linux systems relying on ibmveth network adapters face intermittent complete network outages when the adapter encounters specific traffic patterns—particularly in cloud or virtualized environments where MSS negotiation may result in small segment sizes. These outages require manual adapter reset, disrupting service availability and requiring out-of-band intervention. The impact is heightened in production environments with QinQ VLAN configurations or systems subjected to firewall rules that modify MSS values. Until patched, affected systems become unreliable for mission-critical workloads, with potential data transfer interruptions and operational overhead from manual recovery procedures.
Affected systems
The vulnerability affects Linux kernel installations running on IBM POWER systems that use the ibmveth driver for network connectivity. This encompasses POWER7, POWER8, POWER9, and POWER10 architectures where ibmveth is the primary virtualized network interface. Affected systems include both traditional on-premises Power systems and cloud platforms offering Power instances. The issue is specific to hardware that implements LSO with the identified MSS limitation; systems using alternative network drivers or non-POWER architectures are unaffected. Virtual machines and containers on affected POWER hosts inherit the risk through inherited network device configuration.
Exploitability
The vulnerability requires no attacker action to trigger—it activates passively when legitimate network traffic encounters conditions that naturally produce small MSS values. This occurs in environments where firewall rules enforce Path MTU Discovery (PMTUD) resulting in small MSS negotiation, or in cloud environments with restrictive network segmentation. No authentication, privilege escalation, or special network access is required; any system generating traffic to a destination with constrained MSS can inadvertently trigger the adapter freeze. While not remotely exploitable in the traditional sense, the condition is easily reproducible through standard network configuration, making it a practical denial-of-service vector for anyone with network access to affected systems. The absence of an exploit prerequisite elevates the practical risk despite the targeted hardware scope.
Remediation
Apply the kernel patch that implements the ndo_features_check callback in the ibmveth driver to disable GSO for packets with MSS < 224 bytes. The patch also integrates vlan_features_check() for VLAN compatibility. Verify the patch against the vendor advisory to confirm the exact kernel versions addressed. After patching, reboot systems to activate the updated driver. No configuration changes are required post-patch; the fix operates transparently, falling back to software-based segmentation for affected packets. Testing should verify that network traffic flows normally and that no adapter resets occur during regular operations, especially in environments with QinQ VLAN configurations or systems subject to MSS constraints.
Patch guidance
Obtain the kernel update from your Linux distribution's security repository or directly from the kernel.org stable branch. The fix requires kernel rebuild and reinstallation on affected POWER systems. Coordinate patching during maintenance windows to minimize downtime, as kernel updates typically require system reboot. Prioritize systems in production environments running virtualized workloads with constrained network paths. Verify patch application by checking kernel logs for adapter initialization messages and confirming ndo_features_check registration. Test failover and high-availability configurations after patching to ensure consistent behavior across redundant systems.
Detection guidance
Monitor for repeated network adapter resets or unavailability of the ibmveth interface; these are primary symptoms of the condition. Check kernel logs (dmesg, /var/log/kern.log) for errors related to the ibmveth driver or adapter communication failures coinciding with network traffic spikes. Use packet analysis tools to identify traffic patterns producing small MSS values on outgoing connections; examine firewall rules and PMTUD configuration that may induce such conditions. Performance monitoring tools tracking network interface state transitions may reveal adapter resets. In virtualized environments, correlate adapter failures with guest OS traffic profiles and VLAN configurations. After patching, absence of these symptoms indicates successful remediation.
Why prioritize this
Although the CVSS 3.1 score of 8.6 (HIGH) reflects broad network reachability and severe availability impact, the vulnerability's scope is narrower than the score might initially suggest—limited to POWER systems using ibmveth. However, for organizations operating such infrastructure, the combination of high likelihood (passive trigger), complete availability loss (adapter freeze), and operational overhead (manual reset) mandates prompt patching. The condition is reproducible in many network environments, elevating practical risk. Organizations should prioritize based on Power system footprint: critical for those with significant POWER deployments; standard for mixed-architecture environments where POWER systems support secondary workloads.
Risk score, explained
The CVSS 3.1 score of 8.6 reflects an attack vector that is network-based, requires no authentication, and involves low attack complexity, yielding a base score that emphasizes broad accessibility. The scope is marked as changed because the impact extends beyond the vulnerable component (adapter freeze affects all traffic on the system). The availability impact is rated severe (complete loss of network connectivity until manual intervention), while confidentiality and integrity impacts are none (no data exposure or modification occurs). The score appropriately captures the operational severity for affected Power systems but should be contextualized within organizational risk tolerance: critical for production Power infrastructure; elevated but manageable for non-critical deployments.
Frequently asked questions
Does this vulnerability affect non-POWER Linux systems or systems using other network drivers?
No. CVE-2026-46273 is specific to the ibmveth driver used on IBM POWER architecture systems. Linux systems on x86, ARM, or other architectures, or POWER systems using alternative network drivers, are not affected. The hardware limitation resides in specific POWER adapter implementations and is not present in other network interface hardware.
Can the adapter freeze be triggered remotely, or is local network access required?
The adapter freeze is triggered by packets with specific MSS characteristics passing through the network adapter. In practice, this occurs through normal network traffic when MSS negotiation results in values below 224 bytes, which can happen in any network path with firewalls, VPN configurations, or MTU constraints. No special remote exploit code or direct attacker manipulation is required—the condition activates automatically with legitimate traffic, making it a passive denial-of-service vector.
What is the difference between GSO and the hardware's LSO, and why does the patch use software segmentation instead?
GSO (Generic Segmentation Offload) is a kernel feature that delegates packet segmentation to hardware when possible. LSO (Large Segmentation Offload) is the hardware implementation that performs actual segmentation. The ibmveth hardware's LSO implementation has a minimum MSS threshold of 224 bytes below which it fails, causing adapter freeze. The patch disables GSO for packets below this threshold, forcing the Linux kernel to perform segmentation in software instead. Software segmentation is slower but reliable and prevents the hardware from encountering the problematic condition.
Will the patch affect network performance on POWER systems?
The patch has minimal performance impact. Only packets with MSS < 224 bytes use software segmentation; all other traffic continues to benefit from hardware offload. In most network environments, standard MTU negotiation results in larger MSS values (typically 1448 bytes or higher), so the vast majority of traffic is unaffected. Comprehensive regression testing confirmed stability and performance. Only systems explicitly configured with very small MSS values or specific traffic patterns will experience any measurable change, and those systems currently risk adapter freeze.
This analysis is provided for informational purposes and is based on available vulnerability data as of the publication date. SEC.co makes no warranty regarding the accuracy, completeness, or applicability of this information to specific systems or environments. Organizations must verify all patch versions, affected kernel releases, and compatibility requirements against official vendor advisories before implementing remediation. Testing in non-production environments is strongly recommended. The vulnerability's practical impact depends on network architecture, traffic patterns, and system configuration; organizations should assess risk within their specific context. For definitive guidance, consult your Linux distribution's security advisories and IBM POWER system documentation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment