CRITICAL Published 2026-06-03

net/icmp IPPROTO_RAW Bypass

CVE-2026-46266

CVSS 9.1 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

KernelScan AI5.3MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous. socket(AF_INET, SOCK_RAW, 255); A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes. inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner "man 7 raw" states: A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets. Make sure we drop these malicious packets.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote attackers can send malicious ICMP packets with inner protocol field set to IPPROTO_RAW (255) to manipulate kernel FNHE cache entries. This affects systems with IPPROTO_RAW sockets and network connectivity, potentially disrupting routing decisions.

Affectednet/ipv4/icmp.c, net/ipv6/icmp.c (ICMP error handling)

Vulnerability analysis

The vulnerability stems from improper validation in ICMP error handling code that processes inner packets with protocol IPPROTO_RAW (255). According to raw(7) documentation, IPPROTO_RAW sockets should only send packets, never receive them. However, the kernel's icmp_socket_deliver() and icmpv6_notify() functions were delivering malicious ICMP packets containing inner IPPROTO_RAW packets to these sockets, allowing manipulation of FNHE cache entries. The fix adds explicit checks to drop such packets before processing. Attack surface is network-reachable via ICMP packets, though exploitation requires an existing IPPROTO_RAW socket (which needs CAP_NET_RAW to create).

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.75	`19e42490c89b`
6.18	6.18.14	`531c1aec81bf`
6.19	6.19.4	`719d3932b8f6`
6.6	6.6.128	`db76b75ede38`
mainline	7.0	`c89477ad7944`