CVE-2026-46266
Received Received - Intake
Linux Kernel IPPROTO_RAW ICMP Packet Handling Vulnerability

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous. socket(AF_INET, SOCK_RAW, 255); A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes. inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner "man 7 raw" states: A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets. Make sure we drop these malicious packets.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-04
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-46266
EUVD
EUVD-2026-34128
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of RAW sockets using the IPPROTO_RAW protocol (255). Normally, RAW sockets with IPPROTO_RAW are used to send custom IP packets, but they should not receive incoming packets. However, a malicious incoming ICMP packet can set its protocol field to 255 and match such a RAW socket, which can lead to unintended changes in the kernel's FNHE cache.

Specifically, having a RAW socket open with protocol 255 allows an attacker to send crafted ICMP packets that exploit this behavior, potentially causing harmful side effects in the kernel's network processing.


How can this vulnerability impact me? :

The vulnerability allows malicious ICMP packets to interact with RAW sockets in an unintended way, potentially leading to changes in the kernel's FNHE cache. This could be exploited to disrupt normal network operations or cause unexpected behavior in the system's network stack.

While the exact impact is not detailed, such kernel-level vulnerabilities can lead to denial of service or other network-related issues, affecting system stability and security.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the presence of a RAW socket using protocol IPPROTO_RAW (255) that can be exploited by malicious incoming ICMP packets.

To detect if such a RAW socket exists on your system, you can check for open RAW sockets with protocol 255.

  • Use the command: ss -a -f inet | grep RAW to list RAW sockets.
  • Use netstat -anp | grep raw to find raw sockets and their associated processes.
  • Check for processes creating RAW sockets with protocol 255 by inspecting socket details in /proc or using tools like lsof.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by ensuring that incoming ICMP packets with protocol field set to 255 are dropped when a RAW socket with IPPROTO_RAW exists.

Immediate mitigation steps include:

  • Update the Linux kernel to a version where this vulnerability is fixed.
  • If updating is not immediately possible, restrict or disable applications that create RAW sockets with protocol 255.
  • Implement firewall rules to drop incoming ICMP packets that could exploit this vulnerability.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart