{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23398", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.012Z", "datePublished": "2026-03-26T10:22:50.606Z", "dateUpdated": "2026-03-26T10:22:50.606Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-26T10:22:50.606Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n <IRQ>\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n </IRQ>\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/icmp.c"], "versions": [{"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "b61529c357f1ee4d64836eb142a542d2e7ad67ce", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "9647e99d2a617c355d2b378be0ff6d0e848fd579", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "d938dd5a0ad780c891ea3bc94cae7405f11e618a", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "1e4e2f5e48cec0cccaea9815fb9486c084ba41e2", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "614aefe56af8e13331e50220c936fc0689cf5675", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/icmp.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"}, {"url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"}, {"url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"}, {"url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"}, {"url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"}, {"url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"}], "title": "icmp: fix NULL pointer dereference in icmp_tag_validation()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n <IRQ>\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n </IRQ>\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."}], "id": "CVE-2026-23398", "lastModified": "2026-03-26T11:16:19.910", "metrics": {}, "published": "2026-03-26T11:16:19.910", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T11:50:25.020946+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that adds a NULL check in icmp_tag_validation() (the commit referenced in the provided URLs). Modern kernel releases contain this fix, so update to a kernel version that includes the change.", "Verify the update by checking that the source code for icmp_tag_validation() contains the null\u2011check before accessing icmp_strict_tag_validation() or by confirming the kernel version number.", "As a temporary measure, disable hardened PMTU mode by setting /proc/sys/net/ipv4/ip_no_pmtu_disc to 0 or 1 to remove the vulnerable code path.", "If the kernel cannot be updated or reconfigured immediately, block inbound ICMP Fragmentation Needed messages with a firewall rule or security\u2011group to prevent the triggering packets from reaching the system.", "Monitor kernel logs for KASAN null\u2011ptr\u2011deref messages, which would indicate a lack of the patch or that the vulnerability remains present."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that lack the fix are affected. The vulnerability was triggered in builds with hardened Path MTU Discovery enabled (ip_no_pmtu_disc set to 3). Specific kernel version numbers are not provided, so any kernel prior to the commit that added the NULL check is potentially vulnerable.", "description_and_impact": "A NULL pointer dereference occurs in the Linux kernel\u2019s icmp_tag_validation() function when it processes an ICMP Fragmentation Needed message that contains a quoted inner IP header referring to an unregistered protocol. The kernel dereferences a NULL pointer without checking, leading to a kernel panic in a soft\u2011irq context and a complete loss of availability for the machine.", "risk_and_exploitability": "The CVSS score is not disclosed and EPSS is unavailable, but the crash produces a full system reboot, so the impact is severe. Based on the description, it is inferred that an attacker can remotely send crafted ICMP Fragmentation Needed packets from another host on the network to trigger the crash, provided the target allows such packets. The vulnerability is not listed in KEV, so no publicly known exploits are reported at this time."}}}}, "created": "2026-03-26T12:08:08.100648+00:00", "updated": "2026-03-26T12:08:08.100689+00:00", "vendors": [], "weaknesses": ["CWE-476"]}