External risk intelligence

Linux Kernel RAW Socket Vulnerability Allows ICMP Packet Manipulation

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-46266

A Linux kernel vulnerability allows specially crafted ICMP packets to alter the FNHE cache. This could lead to system configuration changes or denial of service when a RAW socket is configured to accept any IP protocol.

2Halo Surface Signal

Linux Kernel

2.6.12.1 to before 6.6.1286.7 to before 6.12.756.13 to before 6.18.146.19 to before 6.19.42.6.12

External exposure likelihood

Halo Surface Signal score for CVE-2026-46266

This vulnerability resides within the Linux kernel network stack involving RAW sockets. While network-reachable, creating and listening on raw sockets typically requires administrative privileges (CAP_NET_RAW) and is not a common configuration for public-facing application services. Most standard deployments do not expose raw socket functionality to the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-46266

Yes

CVE-2026-46266 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Linux kernel vulnerability allows a malicious packet to modify host cache entries, potentially leading to unauthorized access and impacting system integrity, which would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A security issue in the Linux kernel could allow malicious network traffic to alter system configurations. This is a critical vulnerability impacting the core operating system, with the potential for significant disruption if exploited.

  • A kernel flaw can change system settings.
  • It affects core operating system functionality.
  • Confirm relevance and exposure across systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted ICMP packet over the network. This packet would be designed to match a system that has a RAW socket configured to listen for any IP protocol. When the malicious packet arrives, it could alter the system's FNHE cache, potentially leading to denial-of-service or unauthorized information disclosure.

  • Network access required to send packet.
  • Malicious ICMP packet triggers vulnerability.
  • FNHE cache changes, impacting system integrity.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an incoming ICMP packet could trigger changes to the FNHE cache. This could occur when a system has a RAW socket configured to listen on IPPROTO_RAW.

  • System network cache.
  • Malicious ICMP packet.
  • Denial of service or network disruption.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects the Linux kernel's handling of RAW sockets, specifically when using IPPROTO_RAW. Teams responsible for network infrastructure and operating system security should prioritize understanding and mitigating this risk. The initial steps involve identifying all systems running affected Linux kernel versions, determining exposure to untrusted networks, and confirming which systems utilize RAW sockets with IPPROTO_RAW. Once identified, asset owners must be engaged to assess business criticality and plan remediation, potentially involving vendor coordination for kernel updates or configuration changes to drop malicious packets.

  • Identify systems using RAW sockets.
  • Verify network exposure and criticality.
  • Plan kernel updates or configuration changes.

Frequently asked questions

What is the Linux kernel and how does it use RAW sockets?

The Linux kernel is the foundational software that manages hardware resources and provides essential services for applications. It includes a networking stack that allows programs to communicate over the internet. RAW sockets are a specialized interface that lets applications bypass standard protocol processing to send or receive raw packets. Typically, these are used for network diagnostics, security tools, or custom protocol development rather than standard web traffic.

How does CVE-2026-46266 affect packet handling?

This vulnerability involves an improper input validation flaw. When a system has a RAW socket set to listen for the IPPROTO_RAW protocol, the kernel fails to reject incoming ICMP packets that masquerade as this protocol. Because the system incorrectly accepts these packets, an attacker can cause the kernel to perform unauthorized operations, specifically modifying the Forwarding Next Hop Entry (FNHE) cache, which tracks network routing information.

What triggers the vulnerability in the Linux kernel?

The flaw is triggered when a crafted ICMP packet is sent to a system that already has a RAW socket actively listening on IPPROTO_RAW. It is important to note that the mere presence of the Linux kernel does not trigger this issue; the vulnerability is only actionable if an application is specifically configured to open a RAW socket with that protocol identifier. If no process is using this specific configuration, the system is not susceptible to this specific trigger path.

Why should I care about this issue for my systems?

You should care if you manage Linux systems that process untrusted network traffic and utilize RAW sockets. According to Halo Surface Signal, this vulnerability is classified as 'Unlikely' to be a broad threat because creating and listening on raw sockets usually requires administrative privileges (CAP_NET_RAW). Most standard services do not expose this functionality to the public internet, but custom network tools or infrastructure applications may be more relevant.

How do I start addressing CVE-2026-46266?

Begin by auditing your infrastructure to identify which systems are running affected Linux kernel versions. Next, determine if any applications on those systems are configured to use RAW sockets with IPPROTO_RAW. Prioritize systems that face the public internet or untrusted networks for closer inspection. Once you identify relevant systems, engage with your kernel maintainers or vendors to apply the necessary security updates to patch the packet-handling logic.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified