Description
In the Linux kernel, the following vulnerability has been resolved:

icmp: fix NULL pointer dereference in icmp_tag_validation()

icmp_tag_validation() unconditionally dereferences the result of
rcu_dereference(inet_protos[proto]) without checking for NULL.
The inet_protos[] array is sparse -- only about 15 of 256 protocol
numbers have registered handlers. When ip_no_pmtu_disc is set to 3
(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
Needed error with a quoted inner IP header containing an unregistered
protocol number, the NULL dereference causes a kernel panic in
softirq context.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
Call Trace:
<IRQ>
icmp_rcv (net/ipv4/icmp.c:1527)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
ip_local_deliver_finish (net/ipv4/ip_input.c:242)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
__netif_receive_skb_one_core (net/core/dev.c:6164)
process_backlog (net/core/dev.c:6628)
handle_softirqs (kernel/softirq.c:561)
</IRQ>

Add a NULL check before accessing icmp_strict_tag_validation. If the
protocol has no registered handler, return false since it cannot
perform strict tag validation.
Published: 2026-03-26
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Crash / Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw stems from an unconditional dereference of a possibly null protocol handler within icmp_tag_validation. When the kernel is configured for hardened Path MTU Discovery (ip_no_pmtu_disc set to 3) and receives an ICMP Fragmentation Needed message that quotes an inner IP header using an unregistered protocol number, the null pointer dereference triggers a kernel panic during softirq processing. This leads to a complete loss of service for the affected host and can be triggered remotely via the network stack.

Affected Systems

All Linux kernel releases that include the unpatched icmp_tag_validation implementation are affected, as the defect is part of the standard IPv4 ICMP handling code. No vendor‑specific or version information is provided, so the impact covers the entire Linux kernel ecosystem until the patch is applied.

Risk and Exploitability

The vulnerability has a CVSS score of 6.2, indicating moderate severity, and an EPSS score below 1%, implying a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack requires only the ability to send crafted ICMP packets to a host with hardened PMTU enabled, which is a remote network‑based attack vector. Although not considered widely exploited, an attacker who can reach the target could cause a crash and disrupt availability.

Generated by OpenCVE AI on March 27, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that includes the fix for CVE-2026-23398.
  • If upgrading is not immediately possible, disable hardened PMTU discovery by setting net.ipv4.ip_no_pmtu_disc to 0.
  • Verify that the kernel version is updated after applying the patch.
  • Monitor system logs for kernel oops or hard‑panic messages and adjust firewall rules to block suspicious ICMP traffic.

Generated by OpenCVE AI on March 27, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
Title icmp: fix NULL pointer dereference in icmp_tag_validation()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:33.834Z

Reserved: 2026-01-13T15:37:46.012Z

Link: CVE-2026-23398

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T11:16:19.910

Modified: 2026-04-18T09:16:24.040

Link: CVE-2026-23398

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T00:00:00Z

Links: CVE-2026-23398 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:47:36Z

Weaknesses