Skip to main content

Linux Kernel EUVDEUVD-2026-27755

| CVE-2026-43194 HIGH
2026-05-06 Linux GHSA-6g7r-xrvq-rpc8
High
Disputed · 7.5 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:36 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: consume xmit errors of GSO frames

udpgro_frglist.sh and udpgro_bench.sh are the flakiest tests currently in NIPA. They fail in the same exact way, TCP GRO test stalls occasionally and the test gets killed after 10min.

These tests use veth to simulate GRO. They attach a trivial ("return XDP_PASS;") XDP program to the veth to force TSO off and NAPI on.

Digging into the failure mode we can see that the connection is completely stuck after a burst of drops. The sender's snd_nxt is at sequence number N [1], but the receiver claims to have received (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle is that senders rtx queue is not empty (let's say the block in the rtx queue is at sequence number N - 4 * MSS [3]).

In this state, sender sends a retransmission from the rtx queue with a single segment, and sequence numbers N-4*MSS:N-3*MSS [3]. Receiver sees it and responds with an ACK all the way up to N + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA because it has no recollection of ever sending data that far out [1]. And we are stuck.

The root cause is the mess of the xmit return codes. veth returns an error when it can't xmit a frame. We end up with a loss event like this:

-------------------------------------------------

GSO super frame 1GSO super frame 2
segseg
12

------------------------------------------------- x ok ok <ok>| ok ok ok <x> \\ snd_nxt

"x" means packet lost by veth, and "ok" means it went thru. Since veth has TSO disabled in this test it sees individual segments. Segment 1 is on the retransmit queue and will be resent.

So why did the sender not advance snd_nxt even tho it clearly did send up to seg 8? tcp_write_xmit() interprets the return code from the core to mean that data has not been sent at all. Since TCP deals with GSO super frames, not individual segment the crux of the problem is that loss of a single segment can be interpreted as loss of all. TCP only sees the last return code for the last segment of the GSO frame (in <> brackets in the diagram above).

Of course for the problem to occur we need a setup or a device without a Qdisc. Otherwise Qdisc layer disconnects the protocol layer from the device errors completely.

We have multiple ways to fix this.

  1. make veth not return an error when it lost a packet.

While this is what I think we did in the past, the issue keeps reappearing and it's annoying to debug. The game of whack a mole is not great.

  1. fix the damn return codes

We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the documentation, so maybe we should make the return code from ndo_start_xmit() a boolean. I like that the most, but perhaps some ancient, not-really-networking protocol would suffer.

  1. make TCP ignore the errors

It is not entirely clear to me what benefit TCP gets from interpreting the result of ip_queue_xmit()? Specifically once the connection is established and we're pushing data - packet loss is just packet loss?

  1. this fix

Ignore the rc in the Qdisc-less+GSO case, since it's unreliable. We already always return OK in the TCQ_F_CAN_BYPASS case. In the Qdisc-less case let's be a bit more conservative and only mask the GSO errors. This path is taken by non-IP-"networks" like CAN, MCTP etc, so we could regress some ancient thing. This is the simplest, but also maybe the hackiest fix?

Similar fix has been proposed by Eric in the past but never committed because original reporter was working with an OOT driver and wasn't providing feedback (see Link).

AnalysisAI

TCP connections through veth interfaces with XDP programs can enter a permanent deadlock state where sender and receiver sequence numbers desynchronize, causing all traffic to stall indefinitely. The vulnerability stems from improper error code handling in GSO (Generic Segmentation Offload) frame transmission when individual segments within a GSO super-frame fail - TCP interprets partial segment loss as complete frame loss, advancing receiver state without sender acknowledgment. Affects Linux kernel versions from 3.18 through 6.19.x with patches available across multiple stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation (KEV) or public exploit code has been identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's TCP stack interaction with network device drivers lacking Qdisc (traffic control queue discipline). The issue manifests specifically in veth (virtual Ethernet) interfaces operating with XDP (eXpress Data Path) programs that disable TSO (TCP Segmentation Offload) and enable NAPI (New API polling). When GSO super-frames containing multiple TCP segments traverse these interfaces, individual segment transmission failures return error codes to the TCP layer. TCP's tcp_write_xmit() function interprets the return code from the final segment as representing the entire GSO frame's status. This creates a race condition where partial segment success within a GSO frame causes the receiver's rcv_nxt to advance beyond the sender's snd_nxt, while retransmission queue entries remain unacknowledged. The sender then rejects valid ACKs as TCP_ACK_UNSENT_DATA, triggering permanent connection deadlock. The root cause lies in the ambiguous semantics of ndo_start_xmit() return codes when processing segmented frames without an intermediary Qdisc layer to abstract device-level errors.

RemediationAI

Apply vendor-supplied kernel patches immediately for affected versions: upgrade to Linux kernel 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 depending on your kernel branch. Patches are available through git.kernel.org stable branches (commit hashes: ae3f627b45fb, 0c9de092ef8c, 56bd32c0edca, 9ac6aebef4b4, ea5d7787635e, 4cb163e9efca, c86901d22c89, 7aa767d0d3d0). For systems unable to immediately patch, implement compensating controls: enable Qdisc on veth interfaces (tc qdisc add dev veth0 root pfifo_fast) to isolate protocol layer from device errors, though this adds latency overhead of 10-50 microseconds per packet. Alternatively, remove XDP programs from veth interfaces if TSO/GRO offload testing is not required, restoring default TSO behavior which masks individual segment errors. Monitor for connection stall symptoms in containerized environments: tcp_retranssegs increases without corresponding data transfer, established connections in ESTABLISHED state with non-zero retransmit queue (ss -ti output shows rto and retrans values climbing). Advisory references available at https://nvd.nist.gov/vuln/detail/CVE-2026-43194 and upstream git.kernel.org commit links.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy