CVE-2026-23398

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> icmp: fix NULL pointer dereference in icmp_tag_validation()<br /> <br /> icmp_tag_validation() unconditionally dereferences the result of<br /> rcu_dereference(inet_protos[proto]) without checking for NULL.<br /> The inet_protos[] array is sparse -- only about 15 of 256 protocol<br /> numbers have registered handlers. When ip_no_pmtu_disc is set to 3<br /> (hardened PMTU mode) and the kernel receives an ICMP Fragmentation<br /> Needed error with a quoted inner IP header containing an unregistered<br /> protocol number, the NULL dereference causes a kernel panic in<br /> softirq context.<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)<br /> Call Trace:<br /> <br /> icmp_rcv (net/ipv4/icmp.c:1527)<br /> ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)<br /> ip_local_deliver_finish (net/ipv4/ip_input.c:242)<br /> ip_local_deliver (net/ipv4/ip_input.c:262)<br /> ip_rcv (net/ipv4/ip_input.c:573)<br /> __netif_receive_skb_one_core (net/core/dev.c:6164)<br /> process_backlog (net/core/dev.c:6628)<br /> handle_softirqs (kernel/softirq.c:561)<br /> <br /> <br /> Add a NULL check before accessing icmp_strict_tag_validation. If the<br /> protocol has no registered handler, return false since it cannot<br /> perform strict tag validation.