Linux Kernel: ICMP NULL deref in icmp_tag_validation causes panic
CVE-2026-23398 Published on March 26, 2026
icmp: fix NULL pointer dereference in icmp_tag_validation()
In the Linux kernel, the following vulnerability has been resolved:
icmp: fix NULL pointer dereference in icmp_tag_validation()
icmp_tag_validation() unconditionally dereferences the result of
rcu_dereference(inet_protos[proto]) without checking for NULL.
The inet_protos[] array is sparse -- only about 15 of 256 protocol
numbers have registered handlers. When ip_no_pmtu_disc is set to 3
(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
Needed error with a quoted inner IP header containing an unregistered
protocol number, the NULL dereference causes a kernel panic in
softirq context.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
Call Trace:
<IRQ>
icmp_rcv (net/ipv4/icmp.c:1527)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
ip_local_deliver_finish (net/ipv4/ip_input.c:242)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
__netif_receive_skb_one_core (net/core/dev.c:6164)
process_backlog (net/core/dev.c:6628)
handle_softirqs (kernel/softirq.c:561)
</IRQ>
Add a NULL check before accessing icmp_strict_tag_validation. If the
protocol has no registered handler, return false since it cannot
perform strict tag validation.
Products Associated with CVE-2026-23398
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e and below 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 is affected.
- Version 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e and below b61529c357f1ee4d64836eb142a542d2e7ad67ce is affected.
- Version 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e and below 9647e99d2a617c355d2b378be0ff6d0e848fd579 is affected.
- Version 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e and below d938dd5a0ad780c891ea3bc94cae7405f11e618a is affected.
- Version 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e and below 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 is affected.
- Version 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e and below 614aefe56af8e13331e50220c936fc0689cf5675 is affected.
- Version 3.14 is affected.
- Before 3.14 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.20, <= 6.18.* is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.