Skip to main content

Linux Kernel CVE-2026-46266

| EUVD-2026-34128 CRITICAL
2026-06-03 Linux GHSA-3vgg-pc24-vv5m
Information Disclosure Linux
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 05, 2026 - 07:29 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
9.1 (CRITICAL)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:50 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 15:50 nvd
CRITICAL 9.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous.

socket(AF_INET, SOCK_RAW, 255);

A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes.

inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner

"man 7 raw" states:

A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets.

Make sure we drop these malicious packets.

AnalysisAI

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (protocol 255), where a malicious incoming ICMP packet whose inner header advertises protocol 255 will be matched to the socket and trigger FNHE (Forwarding Next Hop Exception) cache changes. The flaw affects Linux systems where a process has opened a RAW socket on protocol 255, and remote attackers can use crafted ICMP fragmentation-needed messages to influence routing decisions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Linux host running RAW IPPROTO_RAW socket
Delivery
Craft ICMP type 3 code 4 with inner IP proto=255
Exploit
Send forged ICMP to victim over internet
Install
Kernel matches inner header to RAW socket
C2
Install attacker-controlled FNHE next-hop MTU
Execute
Route cache poisoned for target destination
Impact
Degrade or redirect outbound traffic
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that a local process on the victim host has opened a RAW socket with protocol IPPROTO_RAW (255) via socket(AF_INET, SOCK_RAW, 255), which normally requires CAP_NET_RAW or root - this is the precise feature gate documented in the CVE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are conflicting and require nuanced interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet sends a forged ICMP Destination Unreachable (type 3, code 4) packet to a Linux host that has any process holding a RAW socket on IPPROTO_RAW, with the embedded inner IP header crafted as IP(src=victim_route, dst=target, proto=255). The kernel matches the inner header to the RAW socket and installs a Forwarding Next Hop Exception with the attacker-supplied next-hop MTU (e.g., 576 bytes), shrinking the path MTU to the chosen destination and degrading or hijacking traffic flow. …
Remediation Vendor-released patch: upgrade to Linux kernel 6.6.128, 6.12.75, 6.18.14, 6.19.4, or later (or your distribution's backported equivalent) - the fix drops incoming packets matched against RAW sockets bound to IPPROTO_RAW, restoring the documented send-only behavior. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Asset discovery-identify all Linux systems with RAW socket listeners active (protocol 255); coordinate with infrastructure and network teams to map exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46244 CRITICAL
9.1 Jun 03

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to for
CVE-2026-46264 HIGH
8.8 Jun 03

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initial
CVE-2026-46273 HIGH
8.6 Jun 03

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical net
CVE-2026-46251 HIGH
8.4 Jun 03

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger mem
CVE-2026-46270 HIGH
8.4 Jun 03

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or s

Share

CVE-2026-46266 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy