CVE-2026-23398
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp: fix NULL pointer dereference in icmp_tag_validation()
icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse – only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ>
Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < 571d9d7b650f02d1e38c01128817868bceac9edd | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < d783fa413c702ff0f8f8bea63f862e28eeaf39e3 | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161 | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < b61529c357f1ee4d64836eb142a542d2e7ad67ce | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < 9647e99d2a617c355d2b378be0ff6d0e848fd579 | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < d938dd5a0ad780c891ea3bc94cae7405f11e618a | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 | affected |
| Linux | Linux | 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e < 614aefe56af8e13331e50220c936fc0689cf5675 | affected |
| Linux | Linux | 3.14 | affected |
| Linux | Linux | 0 < 3.14 | unaffected |
| Linux | Linux | 5.10.253 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.203 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.167 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.130 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.78 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.20 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.10 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd
- https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3
- https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
- https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce
- https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579
- https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a
- https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2
- https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.