pppoe: drop PFC frames_CVE-2026-53003

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

pppoe: drop PFC frames

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.

If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.

To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.

Basic Information

ID CVE-2026-53003

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:37

Affected Product

Vendor Linux

Product Linux

Version 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6

Affected Versions Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6
Linux Linux 5.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npppoe: drop PFC frames\n\nRFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT\nRECOMMENDED for PPPoE. In practice, pppd does not support negotiating\nPFC for PPPoE sessions, and the current PPPoE driver assumes an\nuncompressed (2-byte) protocol field. However, the generic PPP layer\nfunction ppp_input() is not aware of the negotiation result, and still\naccepts PFC frames.\n\nIf a peer with a broken implementation or an attacker sends a frame with\na compressed (1-byte) protocol field, the subsequent PPP payload is\nshifted by one byte. This causes the network header to be 4-byte\nmisaligned, which may trigger unaligned access exceptions on some\narchitectures.\n\nTo reduce the attack surface, drop PPPoE PFC frames. Introduce\nppp_skb_is_compressed_proto() helper function to be used in both\nppp_generic.c and pppoe.c to avoid open-coding.",
    "published": "2026-06-24T16:29:15.268Z",
    "modified": "2026-06-28T06:37:53.970Z",
    "type": "cve",
    "title": "pppoe: drop PFC frames",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/cb3beef35ab5e0c1afca9fd7648c6ae499786377\nhttps://git.kernel.org/stable/c/ba758fdf1399f310b30098b6faa3fd043de47dd2\nhttps://git.kernel.org/stable/c/fcca1df05322bb04e344dd1178b54b76a08eb7c3\nhttps://git.kernel.org/stable/c/8a5e840babc5c0fbd10c73728a13192347771ec6\nhttps://git.kernel.org/stable/c/49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71\nhttps://git.kernel.org/stable/c/0cab5d077dd1efd2bd1a47271acc35894f945b4f\nhttps://git.kernel.org/stable/c/2b5c3c040d020e3ab3b9a8887031202d96843b1e\nhttps://git.kernel.org/stable/c/cc1ff87bce1ccd38410ab10960f576dcd17db679",
    "id": "CVE-2026-53003",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\nLinux Linux 5.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply