Description
In the Linux kernel, the following vulnerability has been resolved:

pppoe: drop PFC frames

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.

If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.

To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel PPPoE driver mistakenly accepts a single‑byte compressed protocol field when the generic PPP input routine expects a two‑byte field. The resulting 1‑byte shift in the payload misaligns the network header, triggering unaligned memory accesses on architectures that enforce strict alignment and causing kernel crashes. This only when a PPPoE frame with an unsupported compressed protocol field is received, making the attack surface limited to PPPoE traffic.

Affected Systems

All Linux kernel installations that include PPPoE support and have not applied the patch that drops PFC frames are potentially affected. The CPE indicates any Linux kernel, and no specific version range is provided, implying that older kernels prior to the patch carry the issue. Devices that rely on PPPoE for connectivity—such as routers, DSL modems, or VPN gateways—are the most directly impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a higher severity vulnerability, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker able to inject specially crafted PPPoE packets—such as on a shared LAN or WAN segment—against a vulnerable device. The patch mitigates the issue by explicitly dropping PPPoE PFC frames, eliminating the opportunity for misaligned access and the resulting denial of service.

Generated by OpenCVE AI on June 28, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch that drops PPPoE PFC frames.
  • If PPPoE is not required on a device, disable PPPoE support or restrict the interface to prevent PPPoE traffic.
  • Monitor system logs for kernel panics or disconnections related to PPPoE traffic to confirm the mitigation has taken effect.

Generated by OpenCVE AI on June 28, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1102
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.
Title pppoe: drop PFC frames
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:37:53.970Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-53003

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53003 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:15:16Z

Weaknesses
  • CWE-1102

    Reliance on Machine-Dependent Data Representation