CVE-2026-23398

In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2	Patch
https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161	Patch
https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd	Patch
https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675	Patch
https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579	Patch
https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce	Patch
https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3	Patch
https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:3.14:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

History

24 Apr 2026, 15:17

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 -~~	() https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 - Patch
References	~~() https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 -~~	() https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 - Patch
References	~~() https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd -~~	() https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd - Patch
References	~~() https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675 -~~	() https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675 - Patch
References	~~() https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579 -~~	() https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579 - Patch
References	~~() https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce -~~	() https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce - Patch
References	~~() https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3 -~~	() https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3 - Patch
References	~~() https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a -~~	() https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a - Patch
CPE		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:3.14:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
CWE		CWE-476
First Time		Linux Linux linux Kernel

18 Apr 2026, 09:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd - () https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3 -

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: icmp: soluciona la desreferencia de puntero NULL en icmp_tag_validation() icmp_tag_validation() desreferencia incondicionalmente el resultado de rcu_dereference(inet_protos[proto]) sin comprobar si es NULL. El array inet_protos[] es disperso -- solo unos 15 de 256 números de protocolo tienen gestores registrados. Cuando ip_no_pmtu_disc se establece en 3 (modo PMTU endurecido) y el kernel recibe un error ICMP Fragmentation Needed con una cabecera IP interna citada que contiene un número de protocolo no registrado, la desreferencia NULL causa un pánico del kernel en contexto de softirq. Oops: fallo de protección general, probablemente para dirección no canónica 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: desreferencia de puntero nulo en el rango [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Traza de Llamada: icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) Añadir una comprobación de NULL antes de acceder a icmp_strict_tag_validation. Si el protocolo no tiene un gestor registrado, devolver falso ya que no puede realizar una validación estricta de etiquetas.

26 Mar 2026, 11:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 11:16

Updated : 2026-04-24 15:17

NVD link : CVE-2026-23398

Mitre link : CVE-2026-23398

CVE.ORG link : CVE-2026-23398

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10