CVE-2026-53003

HIGHPre-NVD 7.57.5
EchelonGraph scoreHIGH confidence

Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2026-06-24. a secondary CVSS source baseline 7.5; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, secondary
Trending — 3 sources updated this week
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 1%CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

pppoe: drop PFC frames

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames.

If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures.

To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.

CVSS v3
7.5
EG Score
7.5(high)
EPSS
39.6%
KEV
Not listed

Published

June 24, 2026

Last Modified

June 28, 2026

Advisory Details (8)

Auto-updated Jun 28, 2026
No patch confirmed yet.
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/fcca1df05322bb04e344dd1178b54b76a08eb7c3
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/cc1ff87bce1ccd38410ab10960f576dcd17db679
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/cb3beef35ab5e0c1afca9fd7648c6ae499786377
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ba758fdf1399f310b30098b6faa3fd043de47dd2
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/8a5e840babc5c0fbd10c73728a13192347771ec6
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/2b5c3c040d020e3ab3b9a8887031202d96843b1e
generic

pppoe: drop PFC frames - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/0cab5d077dd1efd2bd1a47271acc35894f945b4f

Vendor Advisories for CVE-2026-53003(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 37× in last 7d / 49× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 18:34 UTCEG score recompute
  2. 2026-07-06 18:33 UTCGHSA enrichment
  3. 2026-07-06 16:27 UTCEPSS rescore
  4. 2026-07-06 16:27 UTCEPSS rescore
  5. 2026-07-06 06:47 UTCEG score recompute
  6. 2026-07-06 06:47 UTCGHSA enrichment
  7. 2026-07-06 02:23 UTCEPSS rescore
  8. 2026-07-06 02:23 UTCEPSS rescore
  9. 2026-07-05 19:05 UTCEG score recompute
  10. 2026-07-05 19:05 UTCGHSA enrichment
  11. 2026-07-05 07:23 UTCEG score recompute
  12. 2026-07-05 07:23 UTCGHSA enrichment
  13. 2026-07-05 02:31 UTCEPSS rescore
  14. 2026-07-05 02:30 UTCEPSS rescore
  15. 2026-07-04 19:38 UTCEG score recompute
  16. 2026-07-04 19:37 UTCGHSA enrichment
  17. 2026-07-04 07:54 UTCEG score recompute
  18. 2026-07-04 07:54 UTCGHSA enrichment
  19. 2026-07-04 06:31 UTCEPSS rescore
  20. 2026-07-03 20:11 UTCEG score recompute
  21. 2026-07-03 20:11 UTCGHSA enrichment
  22. 2026-07-03 08:29 UTCEG score recompute
  23. 2026-07-03 08:29 UTCGHSA enrichment
  24. 2026-07-02 20:47 UTCEG score recompute
  25. 2026-07-02 20:47 UTCGHSA enrichment
Show 24 more
  1. 2026-07-02 09:04 UTCEG score recompute
  2. 2026-07-02 09:03 UTCGHSA enrichment
  3. 2026-07-01 21:19 UTCEG score recompute
  4. 2026-07-01 21:19 UTCGHSA enrichment
  5. 2026-07-01 15:07 UTCEPSS rescore
  6. 2026-07-01 09:37 UTCEG score recompute
  7. 2026-07-01 09:37 UTCGHSA enrichment
  8. 2026-06-30 23:22 UTCEPSS rescore
  9. 2026-06-30 21:54 UTCEG score recompute
  10. 2026-06-30 21:54 UTCGHSA enrichment
  11. 2026-06-30 10:11 UTCEG score recompute 7.50
  12. 2026-06-30 10:11 UTCGHSA enrichment
  13. 2026-06-29 14:06 UTCEPSS rescore
  14. 2026-06-29 14:06 UTCEPSS rescore
  15. 2026-06-28 14:07 UTCEPSS rescore
  16. 2026-06-28 07:52 UTCMITRE cvelistV5CVSS v3 → 7.5 · severity → HIGH
  17. 2026-06-28 04:56 UTCEPSS rescore
  18. 2026-06-28 04:56 UTCEPSS rescore
  19. 2026-06-27 14:17 UTCEG score recompute
  20. 2026-06-27 14:17 UTCGHSA enrichment
  21. 2026-06-27 03:08 UTCEPSS rescore
  22. 2026-06-25 13:49 UTCEPSS rescore
  23. 2026-06-24 18:23 UTCEG score recompute
  24. 2026-06-24 18:02 UTCNVD updatefirst tracked

Frequently asked(5)

What is CVE-2026-53003?
CVE-2026-53003 is a high vulnerability published on June 24, 2026. In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an…
When was CVE-2026-53003 disclosed?
CVE-2026-53003 was first published in the National Vulnerability Database on June 24, 2026, with the most recent update on June 28, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-53003 actively exploited?
CVE-2026-53003 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 39.6% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-53003?
CVE-2026-53003 has a CVSS v3 base score of 7.5 (NVD).
How do I remediate CVE-2026-53003?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53003, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53003

Explore →

Is Your Infrastructure Affected by CVE-2026-53003?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.