HOMEVULNERABILITIESCVE-2026-43194
HIGH

CVE-2026-43194

Published: May 6, 2026· Updated: May 11, 2026

7.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: consume xmit errors of GSO frames

udpgro_frglist.sh and udpgro_bench.sh are the flakiest tests

currently in NIPA. They fail in the same exact way, TCP GRO

test stalls occasionally and the test gets killed after 10min.

These tests use veth to simulate GRO. They attach a trivial

("return XDP_PASS;") XDP program to the veth to force TSO off

and NAPI on.

Digging into the failure mode we can see that the connection

is completely stuck after a burst of drops. The sender's snd_nxt

is at sequence number N [1], but the receiver claims to have

received (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle

is that senders rtx queue is not empty (let's say the block in

the rtx queue is at sequence number N - 4 * MSS [3]).

In this state, sender sends a retransmission from the rtx queue

with a single segment, and sequence numbers N-4*MSS:N-3*MSS [3].

Receiver sees it and responds with an ACK all the way up to

N + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA

because it has no recollection of ever sending data that far out [1].

And we are stuck.

The root cause is the mess of the xmit return codes. veth returns

an error when it can't xmit a frame. We end up with a loss event

like this:

-------------------------------------------------

| GSO super frame 1 | GSO super frame 2 |

|-----------------------------------------------|

| seg | seg | seg | seg | seg | seg | seg | seg |

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |

-------------------------------------------------

x ok ok <ok>| ok ok ok <x>

\\

snd_nxt

"x" means packet lost by veth, and "ok" means it went thru.

Since veth has TSO disabled in this test it sees individual segments.

Segment 1 is on the retransmit queue and will be resent.

So why did the sender not advance snd_nxt even tho it clearly did

send up to seg 8? tcp_write_xmit() interprets the return code

from the core to mean that data has not been sent at all. Since

TCP deals with GSO super frames, not individual segment the crux

of the problem is that loss of a single segment can be interpreted

as loss of all. TCP only sees the last return code for the last

segment of the GSO frame (in <> brackets in the diagram above).

Of course for the problem to occur we need a setup or a device

without a Qdisc. Otherwise Qdisc layer disconnects the protocol

layer from the device errors completely.

We have multiple ways to fix this.

1) make veth not return an error when it lost a packet.

While this is what I think we did in the past, the issue keeps

reappearing and it's annoying to debug. The game of whack

a mole is not great.

2) fix the damn return codes

We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the

documentation, so maybe we should make the return code from

ndo_start_xmit() a boolean. I like that the most, but perhaps

some ancient, not-really-networking protocol would suffer.

3) make TCP ignore the errors

It is not entirely clear to me what benefit TCP gets from

interpreting the result of ip_queue_xmit()? Specifically once

the connection is established and we're pushing data - packet

loss is just packet loss?

4) this fix

Ignore the rc in the Qdisc-less+GSO case, since it's unreliable.

We already always return OK in the TCQ_F_CAN_BYPASS case.

In the Qdisc-less case let's be a bit more conservative and only

mask the GSO errors. This path is taken by non-IP-"networks"

like CAN, MCTP etc, so we could regress some ancient thing.

This is the simplest, but also maybe the hackiest fix?

Similar fix has been proposed by Eric in the past but never committed

because original reporter was working with an OOT driver and wasn't

providing feedback (see Link).

NVD Source

Technical Analysis

CVE-2026-43194 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (8)

Quick Facts

CVE IDCVE-2026-43194
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43194 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.