Description
In the Linux kernel, the following vulnerability has been resolved:

ibmveth: Disable GSO for packets with small MSS

Some physical adapters on Power systems do not support segmentation
offload when the MSS is less than 224 bytes. Attempting to send such
packets causes the adapter to freeze, stopping all traffic until
manually reset.

Implement ndo_features_check to disable GSO for packets with small MSS
values. The network stack will perform software segmentation instead.

The 224-byte minimum matches ibmvnic
commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
on GSO packets")
which uses the same physical adapters in SEA configurations.

The issue occurs specifically when the hardware attempts to perform
segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
(gso_segs == 1) do not trigger the problematic LSO code path and are
transmitted normally without segmentation.

Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
Also call vlan_features_check() to ensure proper handling of VLAN packets,
particularly QinQ (802.1ad) configurations where the hardware parser may
not support certain offload features.

Validated using iptables to force small MSS values. Without the fix,
the adapter freezes. With the fix, packets are segmented in software
and transmission succeeds. Comprehensive regression testing completedd
(MSS tests, performance, stability).
Published: 2026-06-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, physical adapters on IBM Power systems that lack support for segmentation offloading when the maximum segment size is less than 224 bytes can become locked when such packets are transmitted. The issue allows the network stack to request hardware general segmentation offload (GSO) for these packets, causing the adapter to freeze and halt all traffic until a manual reset. Adding an ndo_features_check routine disables GSO for MSS values below 224, causing the stack to perform software segmentation instead and eliminating the freeze. This flaw is identified as CWE‑1284, highlighting improper handling of segmentation offloading parameters.

Affected Systems

Affected systems include Linux kernels running on IBM Power Architecture platforms that use the ibmveth or ibmvnic drivers. Any kernel version preceding the commit that introduced the ndo_features_check and VLAN handling patch is vulnerable. Updating to a kernel that incorporates those changes removes the risk.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. The EPSS score of <1% indicates a very low likelihood of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. An attacker with network access could trigger the denial of service by sending a packet with an MSS lower than 224 bytes, which would cause the physical adapter to freeze. Until the patch is applied, the risk remains significant.

Generated by OpenCVE AI on June 9, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the ibmveth and ibmvnic commit disabling GSO for MSS values below 224 bytes (c1f261863e65b508f37416dfbc5c5d911c9b9233), directly resolving the flaw identified as CWE‑1284.
  • Because the flaw is an improper handling of GSO parameters (CWE‑1284), disable GSO and related offloading features on affected interfaces using ethtool, e.g., `ethtool -K <iface> gso off tso off gro off tx off`.
  • Ensure that outbound packets have an MSS of at least 224 bytes, which mitigates the potential hardware freeze associated with CWE‑1284; adjust system or firewall rules, such as setting `net.ipv4.tcp_mtu_prot_min`, or using iptables to enforce an MSS of 224 bytes.

Generated by OpenCVE AI on June 9, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Thu, 04 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset. Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead. The 224-byte minimum matches ibmvnic commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks on GSO packets") which uses the same physical adapters in SEA configurations. The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation. Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features. Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).
Title ibmveth: Disable GSO for packets with small MSS
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:05:30.074Z

Reserved: 2026-05-13T15:03:33.109Z

Link: CVE-2026-46273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:29.160

Modified: 2026-06-09T17:31:31.780

Link: CVE-2026-46273

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46273 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:45:06Z

Weaknesses