CVE-2026-46266: 
Linux Kernel Analyse et atténuation des vulnérabilités

CVE-2026-46266 is a socket filtering bypass vulnerability in the Linux kernel's handling of RAW sockets using the IPPROTO_RAW protocol (255). A malicious incoming ICMP packet can set its inner IP protocol field to 255, matching an open IPPROTO_RAW socket and causing unintended modifications to the kernel's FNHE (Forward Next Hop Entry) routing cache. The vulnerability was reported by Yizhou Zhao and disclosed on June 3, 2026. It affects Linux kernel versions from 2.6.12 up to (but not including) 6.6.128, 6.7–6.12.x before 6.12.75, 6.13–6.18.x before 6.18.14, and 6.19.x before 6.19.4. It carries a CVSS v3.1 base score of 9.1 (Critical) (GitHub Advisory).

The root cause is improper input validation (CWE-20) in the Linux kernel's inet RAW socket receive path. According to man 7 raw, IPPROTO_RAW sockets are send-only by design — they should not receive incoming IP packets of any protocol. However, the kernel failed to enforce this restriction: an attacker can craft an ICMP error message (type 3, code 4 — Destination Unreachable / Fragmentation Needed) containing an embedded inner IP packet with proto=255. When the kernel processes this ICMP error, it matches the inner packet against open sockets, incorrectly delivering it to an IPPROTO_RAW socket and triggering FNHE cache updates. The attack requires no authentication or privileges and is exploitable remotely over the network. A proof-of-concept packet construction using Scapy is documented in the kernel commit description: inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") encapsulated in an ICMP error packet (GitHub Advisory).

Successful exploitation allows an unauthenticated remote attacker to manipulate the kernel's FNHE routing cache, which can disrupt network path discovery (e.g., PMTUD — Path MTU Discovery) and cause denial of service or network traffic misdirection on affected systems. The integrity and availability of network routing state are directly impacted; confidentiality is not affected. Systems running any application that opens an IPPROTO_RAW socket (protocol 255) are exposed, and the impact is limited to the network stack of the targeted host rather than enabling lateral movement or code execution (GitHub Advisory).

Upgrade the Linux kernel to a patched version: 6.6.128 or later (for 6.6.x branch), 6.12.75 or later (for 6.7–6.12.x branches), 6.18.14 or later (for 6.13–6.18.x branches), or 6.19.4 or later (for 6.19.x). Patches are available via the stable kernel tree at git.kernel.org. As a workaround where upgrading is not immediately possible, restrict the creation of IPPROTO_RAW sockets using Linux capabilities (CAP_NET_RAW), SELinux/AppArmor policies, or seccomp filters to prevent unprivileged or unnecessary processes from opening such sockets (GitHub Advisory).

The vulnerability was noted in the CISA weekly vulnerability bulletin for the week of June 1, 2026, and covered by security aggregators including Red Packet Security. No significant independent researcher commentary or vendor statements beyond the kernel fix itself have been identified at this time (GitHub Advisory).