CVE-2026-46266 Overview
CVE-2026-46266 affects the Linux kernel networking stack. The flaw resides in how RAW sockets bound to IPPROTO_RAW (protocol 255) handle incoming ICMP packets. According to the kernel advisory, having a single open RAW socket on protocol 255 is sufficient to expose the system. A malicious ICMP packet whose inner header carries a protocol value of 255 can match the socket and trigger Forwarding Next Hop Exception (FNHE) cache modifications. The man 7 raw documentation explicitly states that IPPROTO_RAW is send-only and must not deliver incoming traffic, making the previous behavior a violation of the documented contract.
Critical Impact
A remote attacker can send crafted ICMP packets to alter route cache state on any host that has opened a RAW socket with IPPROTO_RAW, enabling route manipulation against the target system.
Affected Products
- Linux kernel branches receiving the patches in commits 19e42490, 531c1aec, 719d3932, c89477ad, and db76b75e
- Systems running applications that open socket(AF_INET, SOCK_RAW, 255)
- Distributions that have not yet backported the upstream stable fixes
Discovery Timeline
- Vulnerability reported by Yizhou Zhao
- 2026-06-03 - CVE-2026-46266 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46266
Vulnerability Analysis
The Linux kernel allows user space to create a RAW socket bound to protocol 255 (IPPROTO_RAW). Per the kernel's documented API, this socket type implies IP_HDRINCL and is intended exclusively for sending arbitrary IP protocol packets. Reception of traffic on IPPROTO_RAW is not supposed to occur. The kernel's RAW socket lookup path did not enforce this restriction, so any incoming IPv4 packet whose protocol field equals 255 would match and be delivered to the listening socket.
Because ICMP error processing inspects the inner IP header of payloads such as Destination Unreachable or Fragmentation Needed, the kernel could be steered into FNHE cache updates based on attacker-controlled values. This allows manipulation of the routing decisions made by the host for arbitrary destination addresses.
Root Cause
The RAW socket input demultiplexer accepted protocol 255 matches instead of dropping them. The kernel's behavior diverged from the raw(7) specification, which requires that IPPROTO_RAW reception be impossible. The fix forces the input path to drop packets destined for sockets bound to IPPROTO_RAW.
Attack Vector
An attacker sends a crafted ICMP error message to a host that has opened a RAW socket on protocol 255. The outer packet is an ICMP type 3 (Destination Unreachable) with code 4 (Fragmentation Needed) carrying a next-hop MTU value. The inner IP header references the victim's network with proto=255. The kernel parses the ICMP error, matches the inner protocol to the RAW socket, and updates the FNHE cache, lowering the path MTU or otherwise altering routing for the spoofed destination.
No synthetic code is provided. Refer to the upstream commits for the exact packet handling change. See Kernel commit 19e42490 and Kernel commit 531c1aec.
Detection Methods for CVE-2026-46266
Indicators of Compromise
- Processes invoking socket(AF_INET, SOCK_RAW, 255) on production hosts where this is not expected
- Inbound ICMP type 3 code 4 packets carrying inner IP headers with protocol field set to 255
- Unexpected entries or short-lived MTU drops in the FNHE route cache visible via ip route get for external destinations
Detection Strategies
- Audit running processes with ss -lp or lsof for RAW sockets bound to protocol 255 and flag unknown owners
- Inspect network captures for ICMP errors whose embedded inner IP header advertises proto=255, which is anomalous on legitimate traffic
- Correlate kernel route cache changes with inbound ICMP error packets received in the same window
Monitoring Recommendations
- Enable auditd rules on the socket syscall to log creation of SOCK_RAW sockets with protocol 255
- Forward ICMP telemetry from edge devices into a SIEM and alert on type 3 code 4 messages from untrusted sources
- Track kernel version inventory against the fixed stable releases to identify hosts pending remediation
How to Mitigate CVE-2026-46266
Immediate Actions Required
- Apply the upstream Linux stable kernel update that includes the RAW socket input drop for IPPROTO_RAW
- Identify and remove or restrict applications that open RAW sockets on protocol 255 unless strictly required
- Restrict CAP_NET_RAW to the minimum set of processes and users that need to send raw IP traffic
Patch Information
The fix is delivered in upstream kernel commits 19e42490, 531c1aec, 719d3932, c89477ad, and db76b75e. These commits modify the RAW socket input path so that packets matched against an IPPROTO_RAW socket are dropped. Update to the corresponding stable kernel release for your distribution.
Workarounds
- Filter inbound ICMP error messages at the network perimeter when their inner IP header references protocol 255
- Drop CAP_NET_RAW from container runtimes and unprivileged services to prevent creation of the vulnerable socket
- Use seccomp profiles to block socket() calls requesting SOCK_RAW with protocol 255 in applications that do not require it
# Example: deny CAP_NET_RAW in a systemd unit
# /etc/systemd/system/example.service.d/override.conf
[Service]
CapabilityBoundingSet=~CAP_NET_RAW
AmbientCapabilities=
NoNewPrivileges=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
