CVE-2026-23398
NULL Pointer Dereference in Linux Kernel ICMP Causes Kernel Panic
Publication date: 2026-03-26
Last updated on: 2026-04-24
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 3.14 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.20 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.10 (exc) |
| linux | linux_kernel | From 3.14.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ICMP handling code, specifically in the function icmp_tag_validation(). The function dereferences a pointer from the inet_protos[] array without checking if it is NULL. Since inet_protos[] is sparse and many protocol numbers do not have registered handlers, this can lead to a NULL pointer dereference.
When the kernel is set to a hardened Path MTU Discovery mode (ip_no_pmtu_disc set to 3) and receives an ICMP Fragmentation Needed message containing an inner IP header with an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context, leading to a system crash.
The fix involves adding a NULL check before accessing the protocol handler and returning false if no handler is registered, preventing the kernel panic.
How can this vulnerability impact me? :
This vulnerability can cause a kernel panic, which results in a system crash and potential denial of service. If exploited, it can disrupt the normal operation of a Linux system by crashing the kernel when processing certain ICMP packets.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a kernel panic due to a NULL pointer dereference in the icmp_tag_validation() function when the system receives a specific ICMP Fragmentation Needed error with an unregistered protocol number.
Detection can be done by monitoring system logs for kernel panic messages or oops reports related to icmp_unreach or icmp_tag_validation. Look for messages indicating a general protection fault or null pointer dereference in the ICMP handling code.
Specific commands to check kernel logs include:
- dmesg | grep -i 'icmp_unreach'
- journalctl -k | grep -i 'NULL pointer dereference'
- journalctl -k | grep -i 'general protection fault'
Additionally, monitoring for unexpected kernel panics or crashes during network activity involving ICMP packets may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is fixed, as the issue is resolved by adding a NULL check in the icmp_tag_validation() function.
Until the kernel is updated, consider the following steps:
- Disable or restrict ICMP Fragmentation Needed messages if possible, to reduce the chance of triggering the vulnerability.
- Avoid setting ip_no_pmtu_disc to 3 (hardened PMTU mode), as this setting is involved in triggering the issue.
- Monitor system stability and logs closely for signs of kernel panics related to ICMP handling.
Ultimately, applying the official patch or upgrading to a fixed kernel version is the recommended and most effective mitigation.