Description
In the Linux kernel, the following vulnerability has been resolved:

icmp: fix NULL pointer dereference in icmp_tag_validation()

icmp_tag_validation() unconditionally dereferences the result of
rcu_dereference(inet_protos[proto]) without checking for NULL.
The inet_protos[] array is sparse -- only about 15 of 256 protocol
numbers have registered handlers. When ip_no_pmtu_disc is set to 3
(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
Needed error with a quoted inner IP header containing an unregistered
protocol number, the NULL dereference causes a kernel panic in
softirq context.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
Call Trace:
<IRQ>
icmp_rcv (net/ipv4/icmp.c:1527)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
ip_local_deliver_finish (net/ipv4/ip_input.c:242)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
__netif_receive_skb_one_core (net/core/dev.c:6164)
process_backlog (net/core/dev.c:6628)
handle_softirqs (kernel/softirq.c:561)
</IRQ>

Add a NULL check before accessing icmp_strict_tag_validation. If the
protocol has no registered handler, return false since it cannot
perform strict tag validation.
Published: 2026-03-26
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A NULL pointer dereference in the Linux kernel’s icmp_tag_validation function can be triggered by receiving an ICMP Fragmentation Needed packet that references an unregistered inner IP protocol while the system is in hardened PMTU mode. The dereference occurs in softirq context, causing a kernel panic that crashes the entire system. This flaw is a classic pointer misuse identified by CWE‑476.

Affected Systems

All Linux kernel installations that have not incorporated the commit adding a NULL check before accessing inet_protos are affected. The issue is independent of distribution and applies broadly to any unpatched kernel version that uses the original icmp_tag_validation logic.

Risk and Exploitability

The vulnerability carries a strong denial‑of‑service impact due to the system crash. Exploitation requires an attacker to send a specifically crafted ICMP packet, and the condition appears only when hardened PMTU mode is enabled (ip_no_pmtu_disc set to 3). Because the attack surface is narrow and no widespread exploitation has been reported, the risk is moderate for environments using hardened PMTU and low for typical deployments.

Generated by OpenCVE AI on March 26, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to a kernel version that contains the null‑pointer dereference fix for icmp_tag_validation.
  • If a kernel upgrade is not yet feasible, change the hardened PMTU setting by writing 0 or 1 to /proc/sys/net/ipv4/ip_no_pmtu_disc to eliminate the vulnerable condition.
  • After updating, verify the presence of the patch by checking for the corresponding commit identifiers or rebuild date in the kernel source.
  • Continuously monitor kernel logs for KASAN or general protection fault messages that indicate ICMP‑related crashes.
  • As an additional temporary measure, filter inbound ICMP Fragmentation Needed messages at the network perimeter to reduce exposure until a patch is applied.

Generated by OpenCVE AI on March 26, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
Title icmp: fix NULL pointer dereference in icmp_tag_validation()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-26T10:22:50.606Z

Reserved: 2026-01-13T15:37:46.012Z

Link: CVE-2026-23398

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T11:16:19.910

Modified: 2026-03-26T11:16:19.910

Link: CVE-2026-23398

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T00:00:00Z

Links: CVE-2026-23398 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:48Z

Weaknesses