How is CVE-2026-46266 exploited?

Network reachability (required): The attacker must be able to send packets to the target host over the network; no prior foothold on the machine is needed. Authentication (not-required): No credentials or account of any kind are required; the exploit is triggered by a raw crafted packet sent from any external source. Victim interaction (not-required): The attack is fully passive from the victim's perspective; no user action or administrator interaction is needed to trigger the vulnerable code path. Attack complexity (info): Attack complexity is low; the exploit requires only a single well-formed ICMP packet with the inner protocol field set to 255, with no race conditions or special environmental state required.

What is the impact of CVE-2026-46266?

The attacker overwrites FNHE routing cache entries, redirecting outbound traffic for targeted destination prefixes through an attacker-controlled next hop. Corrupted FNHE entries cause Path MTU Discovery values to be poisoned, fragmenting or dropping legitimate traffic flows and producing sustained denial of service for affected destinations. An attacker can repeatedly send malicious ICMP packets to lock routing into a degraded state, effectively isolating the host from specific network segments without any persistent access.

Back to search

CRITICALCVE-2026-46266Published 2026-06-03Modified 2026-06-05CNA Linux

CVE-2026-46266: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous. socket(AF_INET, SOCK_RAW, 255); A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes. inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner "man 7 raw" states: A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets. Make sure we drop these malicious packets.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

This is a networking logic flaw in the Linux kernel's raw socket handling. A remote attacker can send a crafted ICMP packet over the network with no authentication required, and the kernel incorrectly delivers it to any open IPPROTO_RAW (protocol 255) socket, allowing the attacker to manipulate the Forwarding Next Hop Exception (FNHE) routing cache. Successful exploitation lets the attacker corrupt routing state on the host, enabling traffic redirection and denial of service. A patched-image rebuild at the fix versions (6.6.128 and 6.12.75) is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46266 is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle an affected kernel or kernel-dependent base layer.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 9.1 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Linux kernel 6.6.128 or 6.12.75 becomes available in HarborGuard the moment the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard can execute the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send packets to the target host over the network; no prior foothold on the machine is needed.
AuthenticationNot required
No credentials or account of any kind are required; the exploit is triggered by a raw crafted packet sent from any external source.
Victim interactionNot required
The attack is fully passive from the victim's perspective; no user action or administrator interaction is needed to trigger the vulnerable code path.
Attack complexityDetail
Attack complexity is low; the exploit requires only a single well-formed ICMP packet with the inner protocol field set to 255, with no race conditions or special environmental state required.

Blast Radius

The attacker overwrites FNHE routing cache entries, redirecting outbound traffic for targeted destination prefixes through an attacker-controlled next hop.
Corrupted FNHE entries cause Path MTU Discovery values to be poisoned, fragmenting or dropping legitimate traffic flows and producing sustained denial of service for affected destinations.
An attacker can repeatedly send malicious ICMP packets to lock routing into a degraded state, effectively isolating the host from specific network segments without any persistent access.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and rebuild capabilities for CVE-2026-46266 are ready for use across customer environments. For images running a Linux kernel older than 6.6.128 or 6.12.75, a patched-image rebuild is available as soon as the fix version is confirmed in the upstream feed. For customers with auto-remediation enabled, HarborGuard can rebuild the affected image, run a regression test, and open a pull request against impacted workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation active. Where auto-remediation is not permitted by compliance policy, HarborGuard flags the affected images and surfaces the finding for manual review. As an interim compensating control, customers can consider network-policy rules that restrict inbound ICMP type 3 (Destination Unreachable) traffic at the container or node boundary, reducing the attack surface until the patched kernel image is deployed.

See how HarborGuard automates this

Fix available

019e42490c89bac9a388f28179e66bebbef350f99531c1aec81bfe19d00af13da5531fbb8209e4bd26.6.1286.12.756.18.146.19.47.0719d3932b8f6e3348ce2f0ac58e278301fc17575c89477ad79446867394360b29bb801010fc3ff22db76b75ede3810e7cf9cfea5067d4f3e0993768b

Affected packages

Linux / Linux
< db76b75ede3810e7cf9cfea5067d4f3e0993768b (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 19e42490c89bac9a388f28179e66bebbef350f99 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 531c1aec81bfe19d00af13da5531fbb8209e4bd2 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 719d3932b8f6e3348ce2f0ac58e278301fc17575 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < c89477ad79446867394360b29bb801010fc3ff22 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
Linux / Linux
2.6.12
Fixed in 0, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available