What is the CVSS score of CVE-2026-46273?

CVE-2026-46273 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel are affected by CVE-2026-46273?

CVE-2026-46273 is a remote denial-of-service vulnerability affecting Linux kernel drivers on IBM Power systems that can freeze network adapters and halt all traffic until manual recovery, creating…. A patch is available.

How to fix or mitigate CVE-2026-46273?

Within 24 hours: Identify all IBM Power systems running Linux and document the kernel versions deployed. Cross-reference deployed versions against the vendor advisory for CVE-2026-46273 to determine exposure. Within 7 days: Obtain the patched kernel versions specified in the vendor advisory for each affected kernel branch and test in a non-production environment. Within 30 days: Deploy patched kernels to all vulnerable systems following change management procedures and validate network adapter stability.

Linux Kernel CVE-2026-46273

EUVD-2026-34138 HIGH

2026-06-03 Linux

GHSA-c3jf-v88j-7gvj

Information Disclosure Linux

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 05, 2026 - 07:31 vuln.today

CVSS changed

Jun 05, 2026 - 07:22 NVD

8.6 (HIGH)

Patch available

Jun 03, 2026 - 19:01 EUVD

CVE Published

Jun 03, 2026 - 16:19 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 03, 2026 - 16:19 nvd

HIGH 8.6

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ibmveth: Disable GSO for packets with small MSS

Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.

Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.

The 224-byte minimum matches ibmvnic commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks on GSO packets") which uses the same physical adapters in SEA configurations.

The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.

Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.

Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).

AnalysisAI

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Power LPAR using ibmveth

Delivery

Establish TCP path to victim

Exploit

Negotiate sub-224-byte MSS

Install

Induce multi-segment GSO transmit

Adapter LSO engine wedges

Execute

Shared physical adapter stops forwarding

Impact

Sustained DoS until manual reset

Recon

Identify Power LPAR using ibmveth

Delivery

Establish TCP path to victim

Exploit

Negotiate sub-224-byte MSS

Install

Induce multi-segment GSO transmit

Adapter LSO engine wedges

Execute

Shared physical adapter stops forwarding

Impact

Sustained DoS until manual reset

Vulnerability AssessmentAI

Exploitation	Target must be a Linux system using the ibmveth virtual-Ethernet driver on IBM Power hardware with a physical adapter whose LSO engine rejects MSS < 224 bytes (the same adapters covered by the ibmvnic SEA hardening in commit f10b09ef687f). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The signals here conflict sharply and warrant careful triage. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on a network path that traverses an IBM Power LPAR's ibmveth-backed adapter advertises an artificially small TCP MSS (for example via a crafted SYN/ACK or ICMP 'fragmentation needed' message lowering the path MSS below 224 bytes), causing the LPAR's outbound segmented packets to wedge the underlying physical adapter and halt all traffic for co-located LPARs until an operator manually resets the device. No public exploit is identified at time of analysis, but the trigger is a normal-looking packet sequence that any host capable of TCP MSS manipulation could generate; exploitation requires no authentication to the target.
Remediation	Vendor-released patch: update to the nearest stable kernel containing the ibmveth ndo_features_check fix - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc2 - using the upstream commits at https://git.kernel.org/stable/c/86fc64584811d43c9ccd74447de58620189d8b77 and the parallel stable backports (1cdf5dbc, 82bc89fb, db8012c6, c1f26186, 3af24f0c, cc427d24, 9a5e984d). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all IBM Power systems running Linux and document the kernel versions deployed. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46244 CRITICAL Act Now

9.1 Jun 03

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to for

CVE-2026-46266 CRITICAL Act Now

9.1 Jun 03

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (proto

CVE-2026-46264 HIGH This Week

8.8 Jun 03

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initial

CVE-2026-46251 HIGH This Week

8.4 Jun 03

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger mem

CVE-2026-46270 HIGH This Week

8.4 Jun 03

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or s

CVE-2026-46273 vulnerability details – vuln.today

Back

Linux Kernel CVE-2026-46273

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code