HIGH Published 2026-06-08

net/core PPPoE Deref

CVE-2026-46306

CVSS 7.5 / 10.0 KernelScan AI

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

01Description

In the Linux kernel, the following vulnerability has been resolved: flow_dissector: do not dissect PPPoE PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the flow dissector driver has assumed an uncompressed frame until the blamed commit. During the review process of that commit [1], support for PFC is suggested. However, having a compressed (1-byte) protocol field means the subsequent PPP payload is shifted by one byte, causing 4-byte misalignment for the network header and an unaligned access exception on some architectures. The exception can be reproduced by sending a PPPoE PFC frame to an ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE session is active on that interface: $ 0 : 00000000 80c40000 00000000 85144817 $ 4 : 00000008 00000100 80a75758 81dc9bb8 $ 8 : 00000010 8087ae2c 0000003d 00000000 $12 : 000000e0 00000039 00000000 00000000 $16 : 85043240 80a75758 81dc9bb8 00006488 $20 : 0000002f 00000007 85144810 80a70000 $24 : 81d1bda0 00000000 $28 : 81dc8000 81dc9aa8 00000000 805ead08 Hi : 00009d51 Lo : 2163358a epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50 ra : 805ead08 __skb_get_hash_net+0x74/0x12c Status: 11000403 KERNEL EXL IE Cause : 40800010 (ExcCode 04) BadVA : 85144817 PrId : 0001992f (MIPS 1004Kc) Call Trace: [<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50 [<805ead08>] __skb_get_hash_net+0x74/0x12c [<805ef330>] get_rps_cpu+0x1b8/0x3fc [<805fca70>] netif_receive_skb_list_internal+0x324/0x364 [<805fd120>] napi_complete_done+0x68/0x2a4 [<8058de5c>] mtk_napi_rx+0x228/0xfec [<805fd398>] __napi_poll+0x3c/0x1c4 [<805fd754>] napi_threaded_poll_loop+0x234/0x29c [<805fd848>] napi_threaded_poll+0x8c/0xb0 [<80053544>] kthread+0x104/0x12c [<80002bd8>] ret_from_kernel_thread+0x14/0x1c Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000 To reduce the attack surface and maintain performance, do not process PPPoE PFC frames. [1] https://lore.kernel.org/r/20220630231016.GA392@debian.home

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Remote attackers can crash systems by sending malformed PPPoE frames with Protocol Field Compression to any ethernet interface. The vulnerability causes unaligned memory access exceptions on certain architectures like MIPS, leading to immediate kernel panic. No authentication or active PPPoE sessions are required.

Affectednet/core/flow_dissector.c (network flow dissector)

Vulnerability analysis

The flow dissector incorrectly handles PPPoE Protocol Field Compression frames by shifting payload alignment, causing unaligned memory access on architectures that don't handle this gracefully. The original code attempted to support both compressed (1-byte) and uncompressed (2-byte) protocol fields, but the 1-byte shift breaks 4-byte alignment assumptions. The fix removes PFC support entirely, rejecting such frames during validation to prevent the alignment issue. Attack surface is any system with ethernet interfaces processing network traffic.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.175	`e7c811ca372d`
6.12	6.12.88	`18ae9eacfc95`
6.18	6.18.30	`db104b0d8a78`
6.6	6.6.140	`abc5bc84e0f2`
7.0	7.0.7	`6044392d9cac`
mainline	7.1-rc1	`0d00b9015069`