CVE-2026-23398 (GCVE-0-2026-23398)

Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-04-13 06:06
VLAI?
Title
icmp: fix NULL pointer dereference in icmp_tag_validation()
Summary
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 (git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < b61529c357f1ee4d64836eb142a542d2e7ad67ce (git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 9647e99d2a617c355d2b378be0ff6d0e848fd579 (git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < d938dd5a0ad780c891ea3bc94cae7405f11e618a (git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 (git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 614aefe56af8e13331e50220c936fc0689cf5675 (git)
Create a notification for this product.
    Linux Linux Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.20 , ≤ 6.18.* (semver)
Unaffected: 6.19.10 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/icmp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161",
              "status": "affected",
              "version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
              "versionType": "git"
            },
            {
              "lessThan": "b61529c357f1ee4d64836eb142a542d2e7ad67ce",
              "status": "affected",
              "version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
              "versionType": "git"
            },
            {
              "lessThan": "9647e99d2a617c355d2b378be0ff6d0e848fd579",
              "status": "affected",
              "version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
              "versionType": "git"
            },
            {
              "lessThan": "d938dd5a0ad780c891ea3bc94cae7405f11e618a",
              "status": "affected",
              "version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
              "versionType": "git"
            },
            {
              "lessThan": "1e4e2f5e48cec0cccaea9815fb9486c084ba41e2",
              "status": "affected",
              "version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
              "versionType": "git"
            },
            {
              "lessThan": "614aefe56af8e13331e50220c936fc0689cf5675",
              "status": "affected",
              "version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/icmp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n  \u003cIRQ\u003e\n  icmp_rcv (net/ipv4/icmp.c:1527)\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n  ip_local_deliver (net/ipv4/ip_input.c:262)\n  ip_rcv (net/ipv4/ip_input.c:573)\n  __netif_receive_skb_one_core (net/core/dev.c:6164)\n  process_backlog (net/core/dev.c:6628)\n  handle_softirqs (kernel/softirq.c:561)\n  \u003c/IRQ\u003e\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:06:37.293Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"
        },
        {
          "url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"
        },
        {
          "url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"
        }
      ],
      "title": "icmp: fix NULL pointer dereference in icmp_tag_validation()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23398",
    "datePublished": "2026-03-26T10:22:50.606Z",
    "dateReserved": "2026-01-13T15:37:46.012Z",
    "dateUpdated": "2026-04-13T06:06:37.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23398",
      "date": "2026-04-16",
      "epss": "0.00032",
      "percentile": "0.09117"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23398\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-26T11:16:19.910\",\"lastModified\":\"2026-03-30T13:26:50.827\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nicmp: fix NULL pointer dereference in icmp_tag_validation()\\n\\nicmp_tag_validation() unconditionally dereferences the result of\\nrcu_dereference(inet_protos[proto]) without checking for NULL.\\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\\nNeeded error with a quoted inner IP header containing an unregistered\\nprotocol number, the NULL dereference causes a kernel panic in\\nsoftirq context.\\n\\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\\n Call Trace:\\n  \u003cIRQ\u003e\\n  icmp_rcv (net/ipv4/icmp.c:1527)\\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\\n  ip_local_deliver_finish (net/ipv4/ip_input.c:242)\\n  ip_local_deliver (net/ipv4/ip_input.c:262)\\n  ip_rcv (net/ipv4/ip_input.c:573)\\n  __netif_receive_skb_one_core (net/core/dev.c:6164)\\n  process_backlog (net/core/dev.c:6628)\\n  handle_softirqs (kernel/softirq.c:561)\\n  \u003c/IRQ\u003e\\n\\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\\nprotocol has no registered handler, return false since it cannot\\nperform strict tag validation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nicmp: soluciona la desreferencia de puntero NULL en icmp_tag_validation()\\n\\nicmp_tag_validation() desreferencia incondicionalmente el resultado de rcu_dereference(inet_protos[proto]) sin comprobar si es NULL. El array inet_protos[] es disperso -- solo unos 15 de 256 n\u00fameros de protocolo tienen gestores registrados. Cuando ip_no_pmtu_disc se establece en 3 (modo PMTU endurecido) y el kernel recibe un error ICMP Fragmentation Needed con una cabecera IP interna citada que contiene un n\u00famero de protocolo no registrado, la desreferencia NULL causa un p\u00e1nico del kernel en contexto de softirq.\\n\\n Oops: fallo de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\\n KASAN: desreferencia de puntero nulo en el rango [0x0000000000000010-0x0000000000000017]\\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\\n Traza de Llamada:\\n  \\n  icmp_rcv (net/ipv4/icmp.c:1527)\\n  ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\\n  ip_local_deliver_finish (net/ipv4/ip_input.c:242)\\n  ip_local_deliver (net/ipv4/ip_input.c:262)\\n  ip_rcv (net/ipv4/ip_input.c:573)\\n  __netif_receive_skb_one_core (net/core/dev.c:6164)\\n  process_backlog (net/core/dev.c:6628)\\n  handle_softirqs (kernel/softirq.c:561)\\n  \\n\\nA\u00f1adir una comprobaci\u00f3n de NULL antes de acceder a icmp_strict_tag_validation. Si el protocolo no tiene un gestor registrado, devolver falso ya que no puede realizar una validaci\u00f3n estricta de etiquetas.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.