CVE-2026-23398

MEDIUM EPSS 1.8%
Published Mar 26, 20263mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 26, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥3.14.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel3.14any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a
    Patch