CVE-2026-46306 Overview
CVE-2026-46306 is a Linux kernel vulnerability in the flow_dissector subsystem. The flaw allows a remote attacker to trigger an unaligned access exception by sending a crafted PPPoE frame with Protocol Field Compression (PFC) enabled. The exception occurs in __skb_flow_dissect when the compressed 1-byte protocol field shifts the subsequent PPP payload, causing 4-byte misalignment for the network header. On affected architectures such as MIPS, this triggers a kernel exception and denial of service. The vulnerability has been resolved by skipping flow dissection on PPPoE PFC frames.
Critical Impact
A single crafted PPPoE PFC frame sent to an Ethernet interface can trigger a kernel exception on architectures sensitive to unaligned memory access, even when no PPPoE session is active.
Affected Products
- Linux kernel versions containing the flow dissector PPPoE handling logic prior to the fix
- Architectures sensitive to unaligned memory access, including MIPS
- Systems with Receive Packet Steering (RPS) enabled on Ethernet interfaces
Discovery Timeline
- 2026-06-08 - CVE-2026-46306 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46306
Vulnerability Analysis
The vulnerability resides in __skb_flow_dissect within the Linux kernel flow dissector. RFC 2516 Section 7 states that Protocol Field Compression is NOT RECOMMENDED for PPPoE. In practice, pppd does not negotiate PFC for PPPoE sessions, and the flow dissector previously assumed an uncompressed protocol field.
A prior commit introduced support for PFC frames in the dissector. When a PFC-encoded PPPoE frame is processed, the protocol field shrinks from two bytes to one byte. This single-byte shift breaks 4-byte alignment for the network header that follows.
On architectures that require aligned memory access, such as MIPS 1004Kc, the misaligned read triggers an Address Error exception (ExcCode 04) in the kernel. The call trace observed begins at __skb_flow_dissect+0x1b0/0x1b50, propagates through __skb_get_hash_net, and reaches get_rps_cpu when RPS is enabled.
Root Cause
The root cause is improper handling of optional PPPoE protocol field compression inside __skb_flow_dissect. Supporting PFC required the dissector to read the network header at a non-word-aligned offset. On strict-alignment architectures, an unaligned load is fatal and is not handled with a fixup path in this code path.
Attack Vector
An attacker on the same Layer 2 segment can send a single PPPoE frame with the PFC bit set to any Ethernet interface on the target. No PPPoE session needs to be established on the interface. With RPS enabled, the dissector executes during early receive processing, causing the kernel exception. The result is a denial-of-service condition on affected hardware.
No verified public proof-of-concept code is available. The kernel commit log reproduces the issue using a crafted PPPoE PFC frame sent to a MIPS-based board with RPS enabled.
Detection Methods for CVE-2026-46306
Indicators of Compromise
- Kernel oops or panic entries referencing __skb_flow_dissect in the call trace
- Address Error exceptions (ExcCode 04) on MIPS systems with BadVA values pointing into network header memory
- Unexpected NAPI thread crashes such as mtk_napi_rx or napi_threaded_poll_loop in dmesg
Detection Strategies
- Monitor kernel logs for crashes originating in __skb_flow_dissect, __skb_get_hash_net, or get_rps_cpu
- Inspect network captures for PPPoE Discovery or Session frames with the Protocol Field Compression bit set
- Correlate interface flaps or NAPI thread restarts with inbound PPPoE traffic on non-PPPoE interfaces
Monitoring Recommendations
- Forward kernel ring buffer messages to a centralized logging system and alert on stack traces containing flow dissector symbols
- Track EPSS scoring updates for CVE-2026-46306 to detect changes in exploitation likelihood beyond the current 0.024% probability
- Audit which interfaces have RPS enabled and prioritize patching for systems exposing Layer 2 reachable interfaces
How to Mitigate CVE-2026-46306
Immediate Actions Required
- Apply the upstream Linux kernel fix that skips flow dissection on PPPoE PFC frames
- Identify embedded and MIPS-based devices in the fleet that may be most susceptible to unaligned access faults
- Restrict Layer 2 access to trusted segments where untrusted devices cannot inject arbitrary PPPoE frames
Patch Information
The fix has been merged across multiple stable branches. Relevant commits include Linux Kernel Commit 0d00b90, Linux Kernel Commit 18ae9ea, Linux Kernel Commit 6044392, Linux Kernel Commit 7c93f35, Linux Kernel Commit abc5bc8, Linux Kernel Commit d6c19b3, Linux Kernel Commit db104b0, and Linux Kernel Commit e7c811c. The patch modifies __skb_flow_dissect to bypass dissection on PPPoE frames carrying a compressed protocol field.
Workarounds
- Disable RPS on interfaces that do not require it to remove the flow dissector from the early receive path
- Apply ingress filtering at upstream switches to drop PPPoE EtherTypes (0x8863, 0x8864) on interfaces that do not terminate PPPoE
- Segment MIPS and other strict-alignment embedded devices onto management VLANs that exclude untrusted hosts
# Disable RPS on an interface as a temporary mitigation
echo 0 > /sys/class/net/eth0/queues/rx-0/rps_cpus
# Drop inbound PPPoE Discovery and Session frames at the bridge layer
ebtables -A INPUT -p 0x8863 -j DROP
ebtables -A INPUT -p 0x8864 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
