CVE-2026-53003 (GCVE-0-2026-53003)

Vulnerability from cvelistv5 – Published: 2026-06-24 16:29 – Updated: 2026-06-28 06:37
VLAI
Title
pppoe: drop PFC frames
Summary
In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < cb3beef35ab5e0c1afca9fd7648c6ae499786377 (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < ba758fdf1399f310b30098b6faa3fd043de47dd2 (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < fcca1df05322bb04e344dd1178b54b76a08eb7c3 (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < 8a5e840babc5c0fbd10c73728a13192347771ec6 (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < 49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71 (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < 0cab5d077dd1efd2bd1a47271acc35894f945b4f (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < 2b5c3c040d020e3ab3b9a8887031202d96843b1e (git)
Affected: 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 , < cc1ff87bce1ccd38410ab10960f576dcd17db679 (git)
Create a notification for this product.
Linux Linux Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.10.258 , ≤ 5.10.* (semver)
Unaffected: 5.15.209 , ≤ 5.15.* (semver)
Unaffected: 6.1.175 , ≤ 6.1.* (semver)
Unaffected: 6.6.141 , ≤ 6.6.* (semver)
Unaffected: 6.12.91 , ≤ 6.12.* (semver)
Unaffected: 6.18.33 , ≤ 6.18.* (semver)
Unaffected: 7.0.10 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c",
            "drivers/net/ppp/pppoe.c",
            "include/linux/ppp_defs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb3beef35ab5e0c1afca9fd7648c6ae499786377",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "ba758fdf1399f310b30098b6faa3fd043de47dd2",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "fcca1df05322bb04e344dd1178b54b76a08eb7c3",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "8a5e840babc5c0fbd10c73728a13192347771ec6",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "0cab5d077dd1efd2bd1a47271acc35894f945b4f",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "2b5c3c040d020e3ab3b9a8887031202d96843b1e",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            },
            {
              "lessThan": "cc1ff87bce1ccd38410ab10960f576dcd17db679",
              "status": "affected",
              "version": "7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ppp/ppp_generic.c",
            "drivers/net/ppp/pppoe.c",
            "include/linux/ppp_defs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.33",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npppoe: drop PFC frames\n\nRFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT\nRECOMMENDED for PPPoE. In practice, pppd does not support negotiating\nPFC for PPPoE sessions, and the current PPPoE driver assumes an\nuncompressed (2-byte) protocol field. However, the generic PPP layer\nfunction ppp_input() is not aware of the negotiation result, and still\naccepts PFC frames.\n\nIf a peer with a broken implementation or an attacker sends a frame with\na compressed (1-byte) protocol field, the subsequent PPP payload is\nshifted by one byte. This causes the network header to be 4-byte\nmisaligned, which may trigger unaligned access exceptions on some\narchitectures.\n\nTo reduce the attack surface, drop PPPoE PFC frames. Introduce\nppp_skb_is_compressed_proto() helper function to be used in both\nppp_generic.c and pppoe.c to avoid open-coding."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T06:37:53.970Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb3beef35ab5e0c1afca9fd7648c6ae499786377"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba758fdf1399f310b30098b6faa3fd043de47dd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcca1df05322bb04e344dd1178b54b76a08eb7c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a5e840babc5c0fbd10c73728a13192347771ec6"
        },
        {
          "url": "https://git.kernel.org/stable/c/49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cab5d077dd1efd2bd1a47271acc35894f945b4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b5c3c040d020e3ab3b9a8887031202d96843b1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc1ff87bce1ccd38410ab10960f576dcd17db679"
        }
      ],
      "title": "pppoe: drop PFC frames",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-53003",
    "datePublished": "2026-06-24T16:29:15.268Z",
    "dateReserved": "2026-06-09T07:44:35.377Z",
    "dateUpdated": "2026-06-28T06:37:53.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53003",
      "date": "2026-07-02",
      "epss": "0.00508",
      "percentile": "0.39582"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53003\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-24T17:17:11.383\",\"lastModified\":\"2026-06-28T08:16:29.060\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\npppoe: drop PFC frames\\n\\nRFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT\\nRECOMMENDED for PPPoE. In practice, pppd does not support negotiating\\nPFC for PPPoE sessions, and the current PPPoE driver assumes an\\nuncompressed (2-byte) protocol field. However, the generic PPP layer\\nfunction ppp_input() is not aware of the negotiation result, and still\\naccepts PFC frames.\\n\\nIf a peer with a broken implementation or an attacker sends a frame with\\na compressed (1-byte) protocol field, the subsequent PPP payload is\\nshifted by one byte. This causes the network header to be 4-byte\\nmisaligned, which may trigger unaligned access exceptions on some\\narchitectures.\\n\\nTo reduce the attack surface, drop PPPoE PFC frames. Introduce\\nppp_skb_is_compressed_proto() helper function to be used in both\\nppp_generic.c and pppoe.c to avoid open-coding.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"drivers/net/ppp/ppp_generic.c\",\"drivers/net/ppp/pppoe.c\",\"include/linux/ppp_defs.h\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"cb3beef35ab5e0c1afca9fd7648c6ae499786377\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"ba758fdf1399f310b30098b6faa3fd043de47dd2\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"fcca1df05322bb04e344dd1178b54b76a08eb7c3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"8a5e840babc5c0fbd10c73728a13192347771ec6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"0cab5d077dd1efd2bd1a47271acc35894f945b4f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"2b5c3c040d020e3ab3b9a8887031202d96843b1e\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6\",\"lessThan\":\"cc1ff87bce1ccd38410ab10960f576dcd17db679\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"drivers/net/ppp/ppp_generic.c\",\"drivers/net/ppp/pppoe.c\",\"include/linux/ppp_defs.h\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5.0\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"5.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.258\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.209\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.175\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.141\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.91\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.33\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.10\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0cab5d077dd1efd2bd1a47271acc35894f945b4f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2b5c3c040d020e3ab3b9a8887031202d96843b1e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8a5e840babc5c0fbd10c73728a13192347771ec6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ba758fdf1399f310b30098b6faa3fd043de47dd2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cb3beef35ab5e0c1afca9fd7648c6ae499786377\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cc1ff87bce1ccd38410ab10960f576dcd17db679\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fcca1df05322bb04e344dd1178b54b76a08eb7c3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…