Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 3.14.1, < 5.10.253 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2Patch
- https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161Patch
- https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9eddPatch
- https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675Patch
- https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579Patch
- https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67cePatch
- https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3Patch
- https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618aPatch
FAQ
What is CVE-2026-23398?
CVE-2026-23398 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_d...
How severe is CVE-2026-23398?
CVE-2026-23398 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23398?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.