CVE-2026-46273: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-46273 is a denial-of-service vulnerability in the Linux kernel's ibmveth (IBM Virtual Ethernet) driver affecting IBM Power systems. When physical adapters attempt hardware segmentation offload (GSO/LSO) on packets with a Maximum Segment Size (MSS) below 224 bytes, the adapter freezes and halts all network traffic until manually reset. The vulnerability affects Linux kernel versions from 4.2 through multiple stable branches, with fixed versions including 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, and 7.1-rc2. It was published on June 3, 2026, and carries a CVSS v3.1 base score of 8.6 (High) (GitHub Advisory, Feedly).

The root cause is improper handling of GSO (Generic Segmentation Offload) packets in the ibmveth driver when the hardware's Large Send Offload (LSO) engine receives packets with MSS < 224 bytes — a threshold the underlying physical adapters on Power systems cannot support. The issue is classified under CWE as an improper input validation / resource management flaw. The problem is triggered specifically when gso_segs > 1 (multi-segment GSO), as single-segment GSO packets (gso_segs == 1) bypass the problematic LSO code path entirely. The fix implements an ndo_features_check callback to disable GSO for sub-224-byte MSS packets, delegating segmentation to the software network stack, and also calls vlan_features_check() to handle QinQ (802.1ad) VLAN configurations correctly (GitHub Advisory).

Successful exploitation causes the IBM virtual Ethernet adapter to freeze completely, stopping all network traffic on the affected Power system until a manual reset is performed. The impact is purely an availability denial-of-service — there is no confidentiality or integrity impact. Any network-reachable user capable of sending or routing TCP packets with small MSS values (e.g., via crafted TCP SYN options or iptables MSS clamping) can trigger the freeze without authentication, potentially isolating the affected host from the network entirely (Feedly, GitHub Advisory).

Apply the upstream Linux kernel patches available for each affected stable branch: 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, and 7.1-rc2 (GitHub Advisory). As a temporary workaround prior to patching, configure firewall rules (e.g., iptables -t mangle) to clamp or drop TCP packets with MSS values below 224 bytes at the network perimeter to prevent them from reaching the affected adapter. Additionally, network administrators can use iptables TCPMSS rules to enforce a minimum MSS of 224 bytes on all outbound and inbound connections on affected hosts.

The vulnerability was noted in the CISA weekly vulnerability bulletin for the week of June 1, 2026, and was flagged by the Yocto Project security mailing list as relevant to embedded Linux distributions running on Power hardware (CISA Bulletin, Yocto Security). Detection signatures have been added by Nessus (plugin 318567) and Qualys (detection ID 6279618), indicating broad scanner coverage. No significant independent researcher commentary or social media discussion has been identified beyond standard CVE aggregator coverage.