CVE-2026-53003
Received Received - Intake
PPPoE PFC Frame Handling Flaw in Linux Kernel

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53003
EUVD
EUVD-2026-38871
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's PPPoE implementation related to Protocol Field Compression (PFC). According to RFC 2516 Section 7, PFC is not recommended for PPPoE. The PPPoE driver assumes an uncompressed 2-byte protocol field, but the generic PPP layer function ppp_input() still accepts frames with compressed (1-byte) protocol fields.

If a peer or attacker sends a frame with a compressed protocol field, the PPP payload is shifted by one byte, causing the network header to be misaligned by 4 bytes. This misalignment can trigger unaligned access exceptions on some hardware architectures.

The fix involves dropping PPPoE PFC frames and introducing a helper function to detect compressed protocol frames to prevent this issue.

Impact Analysis

This vulnerability can cause network packet misalignment leading to unaligned access exceptions on some architectures. Such exceptions may cause crashes or instability in the network stack, potentially leading to denial of service conditions.

An attacker could exploit this by sending specially crafted PPPoE frames with compressed protocol fields, disrupting normal network communication or causing kernel errors.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the fix has been applied. The fix involves dropping PPPoE Protocol Field Compression (PFC) frames to prevent misaligned network headers caused by compressed protocol fields.

Specifically, the patch introduces a helper function ppp_skb_is_compressed_proto() used in the PPP generic and PPPoE drivers to detect and drop PFC frames, reducing the attack surface.

Therefore, immediate mitigation steps include applying the latest kernel updates that contain this fix and avoiding use of PPPoE sessions that negotiate or accept PFC frames.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53003. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart