Skip to main content

Linux Kernel CVE-2026-46306

| EUVDEUVD-2026-35171 HIGH
2026-06-08 Linux GHSA-vm8v-fr63-mfh4
7.5
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.3 MEDIUM

PPPoE EtherTypes are L2-adjacent (AV:A); panic only on alignment-intolerant CPUs with RPS-class features enabled (AC:H); unauthenticated availability-only kernel crash.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:29 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.5 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 cve.org
HIGH 7.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

flow_dissector: do not dissect PPPoE PFC frames

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the flow dissector driver has assumed an uncompressed frame until the blamed commit.

During the review process of that commit [1], support for PFC is suggested. However, having a compressed (1-byte) protocol field means the subsequent PPP payload is shifted by one byte, causing 4-byte misalignment for the network header and an unaligned access exception on some architectures.

The exception can be reproduced by sending a PPPoE PFC frame to an ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE session is active on that interface:

$ 0 : 00000000 80c40000 00000000 85144817 $ 4 : 00000008 00000100 80a75758 81dc9bb8 $ 8 : 00000010 8087ae2c 0000003d 00000000 $12 : 000000e0 00000039 00000000 00000000 $16 : 85043240 80a75758 81dc9bb8 00006488 $20 : 0000002f 00000007 85144810 80a70000 $24 : 81d1bda0 00000000 $28 : 81dc8000 81dc9aa8 00000000 805ead08 Hi : 00009d51 Lo : 2163358a epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50 ra : 805ead08 __skb_get_hash_net+0x74/0x12c Status: 11000403 KERNEL EXL IE Cause : 40800010 (ExcCode 04) BadVA : 85144817 PrId : 0001992f (MIPS 1004Kc) Call Trace: [<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50 [<805ead08>] __skb_get_hash_net+0x74/0x12c [<805ef330>] get_rps_cpu+0x1b8/0x3fc [<805fca70>] netif_receive_skb_list_internal+0x324/0x364 [<805fd120>] napi_complete_done+0x68/0x2a4 [<8058de5c>] mtk_napi_rx+0x228/0xfec [<805fd398>] __napi_poll+0x3c/0x1c4 [<805fd754>] napi_threaded_poll_loop+0x234/0x29c [<805fd848>] napi_threaded_poll+0x8c/0xb0 [<80053544>] kthread+0x104/0x12c [<80002bd8>] ret_from_kernel_thread+0x14/0x1c

Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000

To reduce the attack surface and maintain performance, do not process PPPoE PFC frames.

[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home

AnalysisAI

Denial of service in the Linux kernel flow dissector allows remote attackers to trigger an unaligned access exception by sending crafted PPPoE Protocol Field Compression (PFC) frames to an Ethernet interface on alignment-sensitive architectures such as MIPS. The flaw affects kernels from 6.0 onward where Receive Packet Steering (RPS) or similar features invoke the flow dissector on incoming frames, and no PPPoE session needs to be active on the targeted interface. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the vendor has released patched kernel versions.

Technical ContextAI

The vulnerability is in net/core/flow_dissector.c (__skb_flow_dissect), which parses incoming packets to derive flow hashes for features like RPS, RFS, and aRFS. RFC 2516 Section 7 explicitly does NOT RECOMMEND Protocol Field Compression for PPPoE, and pppd does not negotiate it, so the dissector previously assumed an uncompressed 2-byte protocol field. A prior commit added speculative PFC support, but a 1-byte compressed protocol field shifts the subsequent PPP payload by one byte and misaligns the network header by 4 bytes. On architectures that do not transparently handle unaligned access (e.g. MIPS 1004Kc, as shown in the oops trace at __skb_flow_dissect+0x1b0/0x1b50), this triggers an alignment exception and kernel panic. The CPE strings cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* identify the upstream Linux kernel; the fix is to skip dissection of PPPoE PFC frames entirely.

RemediationAI

Vendor-released patch: upgrade to Linux 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1 (or later) from the corresponding stable series, applying the upstream commits at https://git.kernel.org/stable/c/e7c811ca372d53c2be7d01a1614e71fae1054836 and its backports. For Debian and other distributions, pull the security update once the backport lands. Where immediate kernel upgrade is not possible on MIPS or other alignment-sensitive devices, compensating controls include disabling RPS on affected interfaces (echo 0 > /sys/class/net/<iface>/queues/rx-*/rps_cpus), which removes the flow-dissector invocation on the RX path at the cost of single-CPU softirq handling and reduced throughput on multi-core systems, or filtering inbound PPPoE EtherTypes 0x8863/0x8864 at the edge on interfaces that are not legitimate PPPoE termination points (this will break any actual PPPoE service on that link). Disabling features such as RFS/aRFS and XDP flow-hash paths similarly avoids the dissector for raw RX but has equivalent throughput trade-offs.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy