pppoe: drop PFC frames

Summary

CVE	CVE-2026-53003
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 17:17:11 UTC
Updated	2026-06-24 17:17:11 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 cb3beef35ab5e0c1afca9fd7648c6ae499786377 git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 ba758fdf1399f310b30098b6faa3fd043de47dd2 git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 fcca1df05322bb04e344dd1178b54b76a08eb7c3 git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 8a5e840babc5c0fbd10c73728a13192347771ec6 git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71 git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 0cab5d077dd1efd2bd1a47271acc35894f945b4f git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 2b5c3c040d020e3ab3b9a8887031202d96843b1e git	Not specified
CNA	Linux	Linux	affected 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 cc1ff87bce1ccd38410ab10960f576dcd17db679 git	Not specified
CNA	Linux	Linux	affected 5.0	Not specified
CNA	Linux	Linux	unaffected 5.0 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.258 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.209 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.141 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8a5e840babc5c0fbd10c73728a13192347771ec6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/cc1ff87bce1ccd38410ab10960f576dcd17db679	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/fcca1df05322bb04e344dd1178b54b76a08eb7c3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/cb3beef35ab5e0c1afca9fd7648c6ae499786377	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2b5c3c040d020e3ab3b9a8887031202d96843b1e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0cab5d077dd1efd2bd1a47271acc35894f945b4f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/ba758fdf1399f310b30098b6faa3fd043de47dd2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.