HIGH 7.5

CVE-2026-46306: Linux Kernel PPPoE Flow Dissector Denial-of-Service

A flaw in the Linux kernel's network flow dissector can crash systems when they receive malformed PPPoE (Point-to-Point Protocol over Ethernet) frames with Protocol Field Compression enabled. The kernel incorrectly attempts to process these frames, causing memory alignment violations that trigger kernel exceptions on affected CPU architectures like MIPS. An attacker can send a specially crafted PPPoE packet to any ethernet interface with RPS (Receive Packet Steering) enabled—even if no active PPPoE session exists—to crash the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: flow_dissector: do not dissect PPPoE PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the flow dissector driver has assumed an uncompressed frame until the blamed commit. During the review process of that commit [1], support for PFC is suggested. However, having a compressed (1-byte) protocol field means the subsequent PPP payload is shifted by one byte, causing 4-byte misalignment for the network header and an unaligned access exception on some architectures. The exception can be reproduced by sending a PPPoE PFC frame to an ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE session is active on that interface: $ 0 : 00000000 80c40000 00000000 85144817 $ 4 : 00000008 00000100 80a75758 81dc9bb8 $ 8 : 00000010 8087ae2c 0000003d 00000000 $12 : 000000e0 00000039 00000000 00000000 $16 : 85043240 80a75758 81dc9bb8 00006488 $20 : 0000002f 00000007 85144810 80a70000 $24 : 81d1bda0 00000000 $28 : 81dc8000 81dc9aa8 00000000 805ead08 Hi : 00009d51 Lo : 2163358a epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50 ra : 805ead08 __skb_get_hash_net+0x74/0x12c Status: 11000403 KERNEL EXL IE Cause : 40800010 (ExcCode 04) BadVA : 85144817 PrId : 0001992f (MIPS 1004Kc) Call Trace: [<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50 [<805ead08>] __skb_get_hash_net+0x74/0x12c [<805ef330>] get_rps_cpu+0x1b8/0x3fc [<805fca70>] netif_receive_skb_list_internal+0x324/0x364 [<805fd120>] napi_complete_done+0x68/0x2a4 [<8058de5c>] mtk_napi_rx+0x228/0xfec [<805fd398>] __napi_poll+0x3c/0x1c4 [<805fd754>] napi_threaded_poll_loop+0x234/0x29c [<805fd848>] napi_threaded_poll+0x8c/0xb0 [<80053544>] kthread+0x104/0x12c [<80002bd8>] ret_from_kernel_thread+0x14/0x1c Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000 To reduce the attack surface and maintain performance, do not process PPPoE PFC frames. [1] https://lore.kernel.org/r/[email protected]

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the Linux kernel's flow dissector logic, which classifies network traffic for steering and hashing. RFC 2516 specifies that Protocol Field Compression (PFC) is not recommended for PPPoE frames; the compressed protocol field uses one byte instead of two, shifting the PPP payload and creating a 4-byte alignment mismatch in the network header. When the dissector processes a PFC-compressed PPPoE frame, it reads from a misaligned memory address, causing an unaligned access exception (__skb_flow_dissect function). On architectures with strict alignment requirements (MIPS, ARM, others), this results in a kernel panic. The crash is reachable via RPS processing of incoming frames, requiring no active PPPoE session or privileged access.

Business impact

This is a denial-of-service vulnerability that can be exploited remotely to crash Linux systems handling PPPoE traffic. Even systems not using PPPoE can be affected if RPS is enabled (a common optimization on multi-CPU systems). Production environments relying on high availability—particularly ISPs, VPN gateways, and edge routers—face unexpected downtime. The low barrier to exploitation (unauthenticated remote trigger) and wide potential blast radius make this a significant operational risk for kernel maintainers and distributions.

Affected systems

All Linux kernel versions containing the flow dissector's PPPoE handling are potentially affected. The kernel's strict alignment rules apply most critically on MIPS, ARM, PowerPC, and other RISC architectures; x86/x64 systems tolerate misaligned access but still exhibit undefined behavior. Systems with RPS enabled (default on modern multi-core deployments) are directly vulnerable; single-core or RPS-disabled systems have reduced attack surface. The fix requires a kernel patch; no userspace workaround exists.

Exploitability

Exploitation requires only network access to send a single malformed PPPoE frame to any reachable ethernet interface. No authentication, user interaction, or special privileges are needed. An attacker on the same network segment or with IP-level routing access can trigger the crash. The RPS processing path is executed in the packet receive interrupt handler, bypassing most userspace security boundaries. Weaponization is straightforward: a simple packet crafting tool can generate and transmit the offending frame.

Remediation

Update the Linux kernel to a patched version that skips processing of PPPoE frames with Protocol Field Compression enabled. The fix modifies the flow dissector to explicitly reject or ignore compressed PPPoE frames, eliminating the alignment violation. Verify the patch version against your vendor's kernel advisory (verify against the vendor advisory for specific version numbers). As an interim mitigation on systems unable to patch immediately, disable RPS via the `rps_cpus` sysfs knob or restrict network access to trusted sources only; neither fully eliminates the risk.

Patch guidance

Coordinate with your Linux distribution for a patched kernel release targeting this CVE. Kernel maintainers have developed a straightforward fix that prevents dissection of PFC-marked PPPoE frames. Test patched kernels in a staging environment before production deployment, as kernel updates require reboot. Monitor your vendor's security advisory for release timelines. Systems not yet offered a patched kernel should prioritize patching once available, especially edge routers and VPN gateways handling untrusted traffic.

Detection guidance

Monitor system logs for kernel panics or unaligned access exceptions originating from the flow dissector (`__skb_flow_dissect` in stack traces). Network-level detection is challenging without deep packet inspection; PPPoE PFC frames may not be distinguishable from normal traffic in standard logs. Enable kernel crash dumps (kdump) and preserve them for forensic analysis. On MIPS and ARM systems, elevated rates of CPU exceptions in the network receive path may signal exploitation attempts. Intrusion detection systems may struggle to detect this attack, as the payload is a single crafted packet with no obvious signature.

Why prioritize this

Although unpatched systems face direct denial-of-service risk, the attack requires network reachability and is non-persistent (single crash per packet). However, the ease of exploitation and the critical nature of kernel stability warrant prompt patching. Organizations running kernel versions on MIPS or ARM hardware, or with RPS-heavy traffic patterns, should prioritize this update highest. Systems in isolated networks or with RPS disabled can follow a standard patch schedule.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a remotely exploitable, unauthenticated denial-of-service with no user interaction required and high availability impact. The Attack Vector is Network, Attack Complexity is Low, no authentication needed, no user interaction, and the scope is unchanged. Confidentiality and integrity are not affected, but availability is completely compromised for the affected system. The score does not account for mitigation of attack surface (RPS-disabled systems, isolated networks) or the non-persistent nature of the crash; organizations should contextualize this within their infrastructure topology.

Frequently asked questions

Can this vulnerability be exploited on x86/x64 systems?

x86/x64 CPUs do not enforce strict memory alignment in the same way as MIPS or ARM, so they tolerate misaligned reads without throwing an exception. However, misaligned access on x86/x64 degrades performance and triggers undefined behavior; the vulnerability is still present and should be patched on all architectures.

Do I need an active PPPoE session for the attack to work?

No. The vulnerability is triggered during RPS packet steering in the kernel's receive interrupt handler, before any session state is checked. An attacker need only send a crafted PPPoE PFC frame to any ethernet interface on the target system, regardless of whether PPPoE is in use.

What is RPS and do I have it enabled?

Receive Packet Steering (RPS) distributes incoming packets across CPUs for load balancing. It is enabled by default on most modern Linux distributions. Check by running `cat /sys/class/net/<iface>/queues/rx-*/rps_cpus`; if the values are non-zero, RPS is active. As a temporary mitigation, you can disable it, but this may reduce performance.

Will this crash also occur on systems with SELinux or AppArmor enabled?

No. SELinux and AppArmor operate at the application and filesystem level; they do not prevent kernel-level crashes triggered by memory alignment exceptions in the network stack. The crash occurs in kernel space before any LSM hook is invoked.

This analysis is based on the CVE record as published and vendor statements available at the time of writing. Specific patched kernel versions and distribution release dates should be verified directly with your vendor's security advisory. The vulnerability may have been mitigated or superseded by additional kernel changes; always refer to your vendor's official guidance before implementing remediation. SEC.co provides this analysis for informational purposes and does not warrant its completeness or accuracy for your specific environment. Organizations should conduct their own risk assessment and testing in alignment with their change management policies. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).