CVE-2026-23398
Description
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
CVSS Details
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Threat Intelligence
Weaknesses 1
Affected Products 15
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | ≥3.14.1 – <5.10.253 |
| linux | linux_kernel | * | ≥5.11 – <5.15.203 |
| linux | linux_kernel | * | ≥5.16 – <6.1.167 |
| linux | linux_kernel | * | ≥6.2 – <6.6.130 |
| linux | linux_kernel | * | ≥6.7 – <6.12.78 |
| linux | linux_kernel | * | ≥6.13 – <6.18.20 |
| linux | linux_kernel | * | ≥6.19 – <6.19.10 |
| linux | linux_kernel | 3.14 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
| linux | linux_kernel | 7.0 | any |
References 8
- git.kernel.org https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
- git.kernel.org https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
- git.kernel.org https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd
- git.kernel.org https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675
- git.kernel.org https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579
- git.kernel.org https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce
- git.kernel.org https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3
- git.kernel.org https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a
Remediation
- git.kernel.org https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
- git.kernel.org https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
- git.kernel.org https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd
- git.kernel.org https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675
- git.kernel.org https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579
- git.kernel.org https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce
- git.kernel.org https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3
- git.kernel.org https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a