On May 27, 2026, the Linux kernel security team disclosed a significant vulnerability in the IP Virtual Server (IPVS) subsystem that has now drawn a rare public advisory from Microsoft. Tracked as CVE-2026-45850, the flaw resides in how IPVS handles IPv6 packets with extension headers, potentially allowing remote attackers to manipulate TCP, UDP, and SCTP checksums to bypass security controls or disrupt load-balanced services. While the bug exists in Linux kernel code, Microsoft’s decision to publish it in its own Security Update Guide underscores the growing interdependency between Windows and Linux environments — especially in cloud, hybrid, and WSL scenarios.

The advisory, posted to the Microsoft Security Response Center (MSRC) portal shortly after the kernel.org disclosure, rates the vulnerability as high severity and provides guidance for system administrators who might be running affected Linux kernels on Windows-managed infrastructure. This article dives deep into the technical mechanics of CVE-2026-45850, why Microsoft is involved, and what remediation steps you should take immediately.

Understanding IPVS and IPv6 Extension Headers

IPVS (IP Virtual Server) is a transport-layer load balancer built into the Linux kernel, forming the backbone of many high-availability services and cloud-native platforms. It intercepts incoming traffic and distributes it to backend servers using scheduling algorithms like round-robin or least-connection. IPVS operates at the kernel level, manipulating packet headers and recalculating checksums to ensure seamless traffic flow.

IPv6 introduced a flexible header structure that allows optional extension headers between the fixed IPv6 header and the upper-layer protocol header (e.g., TCP or UDP). These extension headers carry information for hop-by-hop options, routing, fragmentation, authentication, and more. When an IPv6 packet contains multiple extension headers, the transport-layer checksum calculation becomes more complex because it must take into account a pseudo-header that includes the source and destination addresses, the upper-layer packet length, and the next header value.

The IPv6 specification (RFC 8200) mandates that the checksum for TCP and UDP packets over IPv6 must include a pseudo-header that incorporates the addresses and the "Upper-Layer Packet Length" — which accounts for all extension headers. Errors in this calculation can lead to dropped packets, incorrect routing, or, in the worst case, security breaches where malicious payloads evade detection.

The Vulnerability Breakdown

CVE-2026-45850 originates from an incorrect checksum recalculation in the IPVS kernel module when processing IPv6 packets that contain extension headers. The IPVS function ip_vs_checksum_adjust() — responsible for fixing up the TCP/UDP checksum after modifying the destination address or port — fails to account for the full chain of extension headers when computing the pseudo-header.

Here's a simplified view of the flawed logic:

  • A crafted IPv6 packet arrives at the load balancer with multiple extension headers (e.g., a Hop-by-Hop Options header followed by a Routing header).
  • IPVS translates the destination address to a backend server and adjusts the checksum only by subtracting the old address and adding the new one.
  • Because the extension headers are present, the pseudo-header's length field does not reflect only the fixed header but the total length of all headers. The stock csum_ipv6_magic() function correctly handles this, but the IPVS delta adjustment overlooks it.
  • The resulting checksum becomes invalid. If a remote attacker carefully controls the extension headers, they can predictably offset the checksum to bypass firewall rules, inject data, or cause the receiver to accept a malformed packet.

In practice, this can lead to:

  • Security bypass: A hardened IPVS load balancer might be configured to drop packets that don't match certain patterns. With a fraudulent checksum, a packet could pass verification at one layer but cause unpredictable behavior at the backend.
  • Denial of Service (DoS): Backend servers receiving packets with invalid checksums might discard them, while legitimate traffic gets starved.
  • Man-in-the-Middle (MitM) amplification: Although not a classic MitM, an attacker could craft packets that alter the effective payload after load balancing, potentially enabling session hijacking if the application relies on transport-layer integrity.

Kernel.org’s advisory notes that the issue affects Linux kernel versions from 4.15 to 6.6 LTS, with patches already backported to stable branches. The flaw was independently reported by researchers at Intel Labs and the University of California, Riverside, who demonstrated practical exploits on Kubernetes clusters using IPVS mode.

Microsoft’s Role in Flagging the Linux Flaw

Why would Microsoft publish a CVE for a Linux kernel vulnerability? The answer lies in the expanding reach of Linux workloads on Windows systems:

  1. Windows Subsystem for Linux (WSL): WSL2 runs a full Linux kernel inside a lightweight VM. Administrators who deploy custom kernels or use older WSL kernels could be affected if they run IPVS-based services inside WSL instances.
  2. Azure and hybrid cloud: Microsoft Azure offers multiple services that rely on Linux load balancers (e.g., Azure Load Balancer, AKS). Many Windows Server administrators manage these Linux nodes through tools like Windows Admin Center.
  3. Defender for Cloud and Security Update Guide expansion: Microsoft now routinely tracks critical opensource vulnerabilities that impact its ecosystem, following the model established by the Common Vulnerability Reporting Framework (CVRF). Starting in 2025, the MSRC broadened its coverage to non-Microsoft software that is heavily used by its customers, providing a unified advisory experience.

In the CVE-2026-45850 advisory, Microsoft explicitly states: “This vulnerability affects Linux kernel IPVS component, which may be run on Windows systems via the Windows Subsystem for Linux or in Azure deployments. Immediate patching is recommended.” The advisory links to both kernel.org patches and Microsoft’s own updated WSL kernel packages.

This cross-platform vigilance is part of a broader industry trend. With supply-chain attacks on the rise, companies like Microsoft, Google, and Amazon catalog vulnerabilities across their dependencies, not just proprietary code. For Windows enthusiasts, the takeaway is clear: even if you’re not a Linux administrator, your Windows environment might be shipping Linux components that need patching.

Exploitability and Attack Vectors

The CVSS 3.1 score for CVE-2026-45850 stands at 8.6 (High), with a vector string of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L. This means:

  • Network exploitable: No physical or local access required.
  • Low attack complexity: An attacker needs only network-level access to craft and send packets.
  • No privileges or user interaction required: The load balancer processes packets automatically.
  • Scope changed: Impact can spill beyond the vulnerable system.
  • High confidentiality impact: Potential data exposure if payloads bypass inspection.

Real-world attack scenarios often target public-facing load balancers. An attacker could:

  • Scan for IPVS load balancers by sending IPv6 packets with various extension headers and observing response differences.
  • Craft a packet that, after checksum miscalculation, appears to come from a trusted source or network segment.
  • Exploit the checksum confusion to inject HTTP headers into web traffic, poisoning caches or stealing cookies.
  • Combine the checksum flaw with IP fragmentation to delay reassembly and sneak malicious payloads past IDS/IPS systems.

Proof-of-concept code released by the researchers shows that on a testbed with a Keepalived + IPVS setup, a single malicious IPv6 packet with a Hop-by-Hop Options header containing a payload that aligns the miscalculated checksum to a value of zero (which TCP accepts under certain conditions) can deliver arbitrary data to a backend server without triggering load-balancer ACLs.

Mitigations and Patches

Linux distributions and major cloud providers acted swiftly. Canonical, Red Hat, SUSE, and Debian released kernel updates within 48 hours. Kubernetes administrators running kube-proxy in IPVS mode should upgrade their node images immediately.

For Windows users, Microsoft offers two primary paths:

  1. WSL Kernel Update: If you use WSL2, check your kernel version with wsl cat /proc/version. The fixed kernel is version 5.15.162.1 and above for WSL2. You can download the package from the Microsoft Store or GitHub releases. After installation, restart WSL instances.
  2. Azure and Windows Server: If you manage Azure Linux VMs or Azure Kubernetes Service clusters, apply the latest security patches from the Azure Update Manager or follow the advisory to upgrade node pools. Windows Server with Hyper-V might host Linux VMs; those guests need separate patching.

For those running custom kernels, the upstream fixes are commits 6d1c2c7a36b6 up to 8f4a9c7b2a1c in the netfilter tree, which correct ip_vs_checksum_adjust() to call csum_ipv6_magic() with the proper length parameter derived from the IPv6 header’s payload length. Backport patches are available for all long-term stable branches.

Microsoft’s advisory recommends a defense-in-depth approach:

  • Enable IPv6 ingress filtering on load balancers to block packets with unexpected extension headers.
  • Deploy Web Application Firewalls (WAF) that can normalize IPv6 headers before they reach the backend.
  • Log and monitor IPv6 traffic patterns using tools like Azure Network Watcher or Wireshark on Windows.

Broader Implications for Cross-Platform Security

CVE-2026-45850 is a textbook case of the risks inherent in protocol complexity. IPv6 extension headers have long been a source of security vulnerabilities — from ISN spoofing in RFC 6528 to recent TLBleed attacks. The incident reinforces the need for:

  • Protocol simplification: Industry voices are calling for deprecation of certain IPv6 extension headers that are rarely used but add significant attack surface. The IETF 6MAN working group continues to debate header chain minimization.
  • Kernel memory safety: While the bug itself is a logic error, the broader trend toward rewriting network stacks in memory-safe languages (Rust for Linux, for instance) could reduce such pitfalls.
  • Unified vulnerability management: Microsoft’s inclusion of a Linux CVE in its portal signals that the days of siloed operating system security are over. Organizations need asset management tools that track all software components, regardless of origin.

For Windows administrators, the lesson is to scrutinize not just Windows Update but also the Linux subsystems under your care. Tools like Microsoft Defender for Endpoint now monitor WSL kernel versions and can alert on missing patches.

The collaboration between the Linux community and Microsoft on this issue has been exemplary. Within hours of the disclosure, Microsoft engineers contributed to the patch review process on [email protected], and the company’s Azure CNA (CVE Numbering Authority) helped coordinate the assignment. This cross-vendor cooperation sets a positive precedent for handling vulnerabilities in the heterogeneous stacks that dominate modern IT.

What You Need to Do Today

If you’re reading this as a Windows environment administrator, take these steps:

  • Inventory: List all Windows machines with WSL2 enabled and any servers hosting Linux VMs. Command: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux and check Hyper-V VM status.
  • Assess: Run wsl --status on WSL hosts to see kernel version. If it’s lower than 5.15.162.1, flag it.
  • Patch: Apply the WSL kernel update via wsl --update or download the package from the Microsoft Store. Reboot or restart WSL (wsl --shutdown).
  • Harden: For edge load balancers running IPVS, verify with your distribution vendor that the kernel fix is applied. If you’re using a cloud load balancer (AWS NLB, Azure LB), check their advisories.
  • Monitor: Enable Defender for Cloud’s vulnerability assessment for all Linux VMs to catch future issues early.

The vulnerability matters even if you never touch a Linux terminal. With WSL deeply woven into Windows workflows — from Docker Desktop to VS Code remote development — a flaw in the Linux kernel is, by extension, a flaw in the Windows ecosystem.

CVE-2026-45850 serves as a stark reminder that security boundaries blur when multiple operating systems share a kernel-space foothold. As Microsoft continues to embrace Linux, expect more such cross-platform advisories — and be ready to act on them just as quickly as on Patch Tuesday.