CVE-2026-23398

Received Received - Intake

NULL Pointer Dereference in Linux Kernel ICMP Causes Kernel Panic

Publication date: 2026-03-26

Last updated on: 2026-04-24

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-26

Last Modified

2026-04-24

Generated

2026-06-16

AI Q&A

2026-03-26

EPSS Evaluated

2026-06-14

NVD

CVE-2026-23398

EUVD

EUVD-2026-16158

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	3.14
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	From 6.2 (inc) to 6.6.130 (exc)
linux	linux_kernel	From 5.11 (inc) to 5.15.203 (exc)
linux	linux_kernel	From 5.16 (inc) to 6.1.167 (exc)
linux	linux_kernel	From 6.7 (inc) to 6.12.78 (exc)
linux	linux_kernel	From 6.13 (inc) to 6.18.20 (exc)
linux	linux_kernel	From 6.19 (inc) to 6.19.10 (exc)
linux	linux_kernel	From 3.14.1 (inc) to 5.10.253 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-476	The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Linux kernel's ICMP handling code, specifically in the function icmp_tag_validation(). The function dereferences a pointer from the inet_protos[] array without checking if it is NULL. Since inet_protos[] is sparse and many protocol numbers do not have registered handlers, this can lead to a NULL pointer dereference.

When the kernel is set to a hardened Path MTU Discovery mode (ip_no_pmtu_disc set to 3) and receives an ICMP Fragmentation Needed message containing an inner IP header with an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context, leading to a system crash.

The fix involves adding a NULL check before accessing the protocol handler and returning false if no handler is registered, preventing the kernel panic.

Impact Analysis

This vulnerability can cause a kernel panic, which results in a system crash and potential denial of service. If exploited, it can disrupt the normal operation of a Linux system by crashing the kernel when processing certain ICMP packets.

Detection Guidance

This vulnerability causes a kernel panic due to a NULL pointer dereference in the icmp_tag_validation() function when the system receives a specific ICMP Fragmentation Needed error with an unregistered protocol number.

Detection can be done by monitoring system logs for kernel panic messages or oops reports related to icmp_unreach or icmp_tag_validation. Look for messages indicating a general protection fault or null pointer dereference in the ICMP handling code.

Specific commands to check kernel logs include:

dmesg | grep -i 'icmp_unreach'
journalctl -k | grep -i 'NULL pointer dereference'
journalctl -k | grep -i 'general protection fault'

Additionally, monitoring for unexpected kernel panics or crashes during network activity involving ICMP packets may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is fixed, as the issue is resolved by adding a NULL check in the icmp_tag_validation() function.

Until the kernel is updated, consider the following steps:

Disable or restrict ICMP Fragmentation Needed messages if possible, to reduce the chance of triggering the vulnerability.
Avoid setting ip_no_pmtu_disc to 3 (hardened PMTU mode), as this setting is involved in triggering the issue.
Monitor system stability and logs closely for signs of kernel panics related to ICMP handling.

Ultimately, applying the official patch or upgrading to a fixed kernel version is the recommended and most effective mitigation.

Hi! I’m here to help you understand CVE-2026-23398. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-23398

NULL Pointer Dereference in Linux Kernel ICMP Causes Kernel Panic

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart