icmp: fix NULL pointer dereference in icmp_tag_validation()

Summary

CVE	CVE-2026-23398
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-03-26 11:16:19 UTC
Updated	2026-03-30 13:26:50 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.

Risk And Classification

EPSS: 0.000320000 probability, percentile 0.091740000 (date 2026-04-01)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 git	Not specified
CNA	Linux	Linux	affected 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e b61529c357f1ee4d64836eb142a542d2e7ad67ce git	Not specified
CNA	Linux	Linux	affected 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e 9647e99d2a617c355d2b378be0ff6d0e848fd579 git	Not specified
CNA	Linux	Linux	affected 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e d938dd5a0ad780c891ea3bc94cae7405f11e618a git	Not specified
CNA	Linux	Linux	affected 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 git	Not specified
CNA	Linux	Linux	affected 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e 614aefe56af8e13331e50220c936fc0689cf5675 git	Not specified
CNA	Linux	Linux	affected 3.14	Not specified
CNA	Linux	Linux	unaffected 3.14 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.167 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.130 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.78 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.20 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.10 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0-rc5 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.