In the Linux kernel, the following vulnerability has been resolved:
icmp: fix NULL pointer dereference in icmp_tag_validation()
icmp_tag_validation() unconditionally dereferences the result of
rcu_dereference(inet_protos[proto]) without checking for NULL.
The inet_protos[] array is sparse -- only about 15 of 256 protocol
numbers have registered handlers. When ip_no_pmtu_disc is set to 3
(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
Needed error with a quoted inner IP header containing an unregistered
protocol number, the NULL dereference causes a kernel panic in
softirq context.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
Call Trace:
<IRQ>
icmp_rcv (net/ipv4/icmp.c:1527)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
ip_local_deliver_finish (net/ipv4/ip_input.c:242)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
__netif_receive_skb_one_core (net/core/dev.c:6164)
process_backlog (net/core/dev.c:6628)
handle_softirqs (kernel/softirq.c:561)
</IRQ>
Add a NULL check before accessing icmp_strict_tag_validation. If the
protocol has no registered handler, return false since it cannot
perform strict tag validation.
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-23398",
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"dateUpdated": "2026-03-26T10:22:50.606Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"datePublished": "2026-03-26T10:22:50.606Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux",
"dateUpdated": "2026-03-26T10:22:50.606Z"
},
"title": "icmp: fix NULL pointer dereference in icmp_tag_validation()",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n <IRQ>\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n </IRQ>\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."
}
],
"affected": [
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "unaffected",
"versions": [
{
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"status": "affected",
"versionType": "git",
"lessThan": "1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"
},
{
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"status": "affected",
"versionType": "git",
"lessThan": "b61529c357f1ee4d64836eb142a542d2e7ad67ce"
},
{
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"status": "affected",
"versionType": "git",
"lessThan": "9647e99d2a617c355d2b378be0ff6d0e848fd579"
},
{
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"status": "affected",
"versionType": "git",
"lessThan": "d938dd5a0ad780c891ea3bc94cae7405f11e618a"
},
{
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"status": "affected",
"versionType": "git",
"lessThan": "1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"
},
{
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"status": "affected",
"versionType": "git",
"lessThan": "614aefe56af8e13331e50220c936fc0689cf5675"
}
]
},
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "affected",
"versions": [
{
"version": "3.14",
"status": "affected"
},
{
"version": "0",
"status": "unaffected",
"versionType": "semver",
"lessThan": "3.14"
},
{
"version": "6.1.167",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.1.*"
},
{
"version": "6.6.130",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.6.*"
},
{
"version": "6.12.78",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.12.*"
},
{
"version": "6.18.20",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.18.*"
},
{
"version": "6.19.10",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.19.*"
},
{
"version": "7.0-rc5",
"status": "unaffected",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"
},
{
"url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"
},
{
"url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"
},
{
"url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"
},
{
"url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"
},
{
"url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"
}
]
}
}
}