HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46306Published Modified CNA Linux

CVE-2026-46306: flow_dissector: do not dissect PPPoE PFC frames

In the Linux kernel, the following vulnerability has been resolved: flow_dissector: do not dissect PPPoE PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the flow dissector driver has assumed an uncompressed frame until the blamed commit. During the review process of that commit [1], support for PFC is suggested. However, having a compressed (1-byte) protocol field means the subsequent PPP payload is shifted by one byte, causing 4-byte misalignment for the network header and an unaligned access exception on some architectures. The exception can be reproduced by sending a PPPoE PFC frame to an ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE session is active on that interface: $ 0 : 00000000 80c40000 00000000 85144817 $ 4 : 00000008 00000100 80a75758 81dc9bb8 $ 8 : 00000010 8087ae2c 0000003d 00000000 $12 : 000000e0 00000039 00000000 00000000 $16 : 85043240 80a75758 81dc9bb8 00006488 $20 : 0000002f 00000007 85144810 80a70000 $24 : 81d1bda0 00000000 $28 : 81dc8000 81dc9aa8 00000000 805ead08 Hi : 00009d51 Lo : 2163358a epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50 ra : 805ead08 __skb_get_hash_net+0x74/0x12c Status: 11000403 KERNEL EXL IE Cause : 40800010 (ExcCode 04) BadVA : 85144817 PrId : 0001992f (MIPS 1004Kc) Call Trace: [<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50 [<805ead08>] __skb_get_hash_net+0x74/0x12c [<805ef330>] get_rps_cpu+0x1b8/0x3fc [<805fca70>] netif_receive_skb_list_internal+0x324/0x364 [<805fd120>] napi_complete_done+0x68/0x2a4 [<8058de5c>] mtk_napi_rx+0x228/0xfec [<805fd398>] __napi_poll+0x3c/0x1c4 [<805fd754>] napi_threaded_poll_loop+0x234/0x29c [<805fd848>] napi_threaded_poll+0x8c/0xb0 [<80053544>] kthread+0x104/0x12c [<80002bd8>] ret_from_kernel_thread+0x14/0x1c Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000 To reduce the attack surface and maintain performance, do not process PPPoE PFC frames. [1] https://lore.kernel.org/r/20220630231016.GA392@debian.home

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in the Linux kernel's network flow dissector, specifically in its handling of PPPoE Protocol Field Compression (PFC) frames. The flaw is reachable over the network with no authentication required: a remote attacker can send a specially crafted PPPoE PFC ethernet frame to an affected interface, triggering an unaligned memory access exception on architectures such as MIPS, which crashes the kernel. Successful exploitation causes a complete service disruption of the affected host. Patched-image rebuilds at versions 6.1.175 and 6.6.140 (and associated commit hashes) are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46306 is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel feeds and matched against customer images within minutes of publication, including custom-built images that package their own kernel or kernel modules. Images running affected Linux kernel versions in any scanned registry or CI pipeline are flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) using the published v3.1 vector, and per-environment compliance policy weighting is applied to prioritize and route the finding to the appropriate team inbox within each customer organization. Environments running kernel workloads on network-facing nodes or architectures sensitive to unaligned access (such as MIPS or similar) will see this elevated in triage queues.

Available
Patch

A patched-image rebuild at Linux kernel versions 6.1.175 and 6.6.140 becomes available on HarborGuard once images containing the fix commits are detected in upstream or customer-supplied base images. For customers who opt into auto-remediation, HarborGuard initiates a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send raw ethernet frames (PPPoE PFC) to the target interface over the network, making the service directly exposed to over-the-network exploitation.

  • AuthenticationNot required

    No credentials or session are needed; the kernel processes the malformed frame during early network packet handling before any authentication context is established.

  • Victim interactionNot required

    No user or administrator action is required; the kernel handles inbound frames automatically without any human interaction on the target system.

  • Attack complexityDetail

    The exploit is reliable and condition-free on vulnerable architectures with RPS enabled; the attacker simply sends a conforming PPPoE PFC frame and the unaligned access exception triggers deterministically.

Blast Radius

  • Crashes the kernel on affected architectures (such as MIPS) via an unaligned memory access exception, taking down all processes and services running on the host.
  • Causes a full denial of service for any workload hosted on the affected node, including containerized applications and network-facing services.
  • No confidential data is read and no data is modified; the sole impact is availability loss through a hard kernel fault.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against all customer images within minutes of publication, including custom kernel images and images based on affected Linux kernel releases. For environments running affected kernel versions (pre-6.1.175 or pre-6.6.140 stable branches), a patched-image rebuild becomes available as soon as a base image containing the upstream fix commits is present. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the patched version, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, customers can apply compensating controls such as network-policy isolation to restrict raw ethernet or PPPoE traffic to affected interfaces, and egress filtering to limit exposure of vulnerable nodes until the kernel is updated. HarborGuard re-checks the advisory on every ingest cycle and will surface the patched rebuild the moment upstream ships additional fixes for other affected version ranges.

See how HarborGuard automates this

Fix available

00d00b9015069712944934bab09eaa6c54214304918ae9eacfc95cc715c0606b2c86e8aa8a86cf3e36.1.1756.6.1406.12.886.18.306044392d9cace3a3672b02c8bc7d38b502e517347.0.77.1-rc17c93f353eab4ea911e394630f07d72e040a729d8abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200d6c19b31a3c1d519fabdcf0aa239e6b6109b9473db104b0d8a7856397c0469d83a4289adf7c54863e7c811ca372d53c2be7d01a1614e71fae1054836
Affected packages
  • Linux / Linux
    < e7c811ca372d53c2be7d01a1614e71fae1054836 (from 10f665b52a75df6eb26ddebbbc072ee264183731) · < abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200 (from d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8) · < 18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3 (from 46126db9c86110e5fc1e369b9bb89735ddefdae4) · < db104b0d8a7856397c0469d83a4289adf7c54863 (from 46126db9c86110e5fc1e369b9bb89735ddefdae4) · < 6044392d9cace3a3672b02c8bc7d38b502e51734 (from 46126db9c86110e5fc1e369b9bb89735ddefdae4) · < 0d00b9015069712944934bab09eaa6c542143049 (from 46126db9c86110e5fc1e369b9bb89735ddefdae4)
  • Linux / Linux
    6.0
    Fixed in 0, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References