CVE-2026-46266 in Linux
Summary
by MITRE • 06/03/2026
In the Linux kernel, the following vulnerability has been resolved:
inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous.
socket(AF_INET, SOCK_RAW, 255);
A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes.
inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner
"man 7 raw" states:
A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets.
Make sure we drop these malicious packets.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability described represents a critical security flaw in the Linux kernel's handling of RAW sockets with IPPROTO_RAW protocol designation. This issue stems from improper validation of incoming ICMP packets that attempt to masquerade as IPPROTO_RAW traffic, creating a potential attack vector that could be exploited to manipulate the kernel's forwarding cache. The flaw specifically affects systems running Linux kernels where RAW sockets are configured with protocol 255, which is the standard designation for IPPROTO_RAW. When a malicious actor establishes a RAW socket using this protocol, the kernel fails to properly validate incoming ICMP packets that may be crafted to match the protocol field, allowing them to be processed by the socket even though they should be filtered out.
The technical implementation of this vulnerability involves the manipulation of IP packet headers to exploit the kernel's forwarding cache handling mechanism. The attack demonstrates how a malicious ICMP packet can be constructed with a specific inner packet structure where the protocol field is set to 255, matching the RAW socket's protocol specification. This creates a scenario where the kernel's FNHE (Forwarding Node Hash Entry) cache gets modified inappropriately, potentially leading to incorrect routing decisions or cache poisoning. The vulnerability specifically occurs when an ICMP packet with type 3, code 4 (which indicates a "Parameter Problem" message) contains an inner packet structure that matches the IPPROTO_RAW socket specification, allowing the kernel to process these packets through the RAW socket handler instead of properly dropping them.
The operational impact of this vulnerability extends beyond simple packet processing errors and could enable sophisticated attack scenarios including routing manipulation, network disruption, and potential privilege escalation opportunities. Attackers could leverage this flaw to inject malicious routing information into the kernel's forwarding cache, potentially redirecting traffic through unintended paths or creating denial-of-service conditions. The vulnerability particularly affects network infrastructure components that rely on RAW socket functionality for legitimate purposes, as the presence of even a single RAW socket can create a persistent attack surface. This represents a design flaw in the kernel's packet filtering logic that fails to properly distinguish between legitimate IPPROTO_RAW traffic and maliciously crafted ICMP packets that attempt to exploit the protocol specification.
The fix for this vulnerability requires implementing proper validation logic that ensures incoming ICMP packets are properly filtered before being processed by IPPROTO_RAW sockets. This involves modifying the kernel's packet reception handling to explicitly drop ICMP packets that match the IPPROTO_RAW protocol specification, regardless of their content or source. The solution must align with established security practices and standards including those related to packet filtering and kernel security. This vulnerability aligns with CWE-119, which addresses improper restriction of operations within a memory buffer, and may relate to ATT&CK techniques involving privilege escalation and denial of service through kernel manipulation. The mitigation approach should include both immediate kernel patches and defensive configuration measures to prevent similar issues in other network stack components. The solution must also consider the legitimate use cases for IPPROTO_RAW sockets while ensuring that malicious packet manipulation attempts are properly identified and rejected by the kernel's network processing subsystem.