Description
In the Linux kernel, the following vulnerability has been resolved:

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

Yizhou Zhao reported that simply having one RAW socket on protocol
IPPROTO_RAW (255) was dangerous.

socket(AF_INET, SOCK_RAW, 255);

A malicious incoming ICMP packet can set the protocol field to 255
and match this socket, leading to FNHE cache changes.

inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST")
pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner

"man 7 raw" states:

A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able
to send any IP protocol that is specified in the passed header.
Receiving of all IP protocols via IPPROTO_RAW is not possible
using raw sockets.

Make sure we drop these malicious packets.
Published: 2026-06-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a raw socket bound to IPPROTO_RAW (protocol number 255) can erroneously accept ICMP packets that set the protocol field to 255. A crafted ICMP packet matching this value will be delivered to the socket and can trigger changes in the kernel's FNHE cache. The result is undefined kernel state changes, which may manifest as instability or other erratic behavior. This issue is classified as CWE‑1287 (Improper Access Control).

Affected Systems

All Linux kernel implementations are susceptible, as indicated by the CPE entries covering the generic linux_kernel and specific build versions such as 2.6.12 and its release candidates.

Risk and Exploitability

Exploitation is possible by an attacker who can send arbitrary ICMP packets to the target host. The CVSS score of 9.1 indicates high severity, while the EPSS value of < 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers could be the external network or any host with the ability to craft ICMP packets directed at the vulnerable system.

Generated by OpenCVE AI on June 9, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch fixing this flaw.
  • Discontinue or disable the use of raw sockets with IPPROTO_RAW (255) if they are not required for your environment.
  • Configure network or host‑based firewalls to block any incoming ICMP packets that contain a protocol value of 255.

Generated by OpenCVE AI on June 9, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*

Fri, 05 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Thu, 04 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous. socket(AF_INET, SOCK_RAW, 255); A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes. inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner "man 7 raw" states: A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets. Make sure we drop these malicious packets.
Title inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-05T06:06:39.945Z

Reserved: 2026-05-13T15:03:33.108Z

Link: CVE-2026-46266

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-03T18:16:28.147

Modified: 2026-06-09T19:47:18.280

Link: CVE-2026-46266

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46266 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:15:16Z

Weaknesses