{ "threat_severity" : "Moderate", "public_date" : "2026-03-26T00:00:00Z", "bugzilla" : { "description" : "kernel: icmp: fix NULL pointer dereference in icmp_tag_validation()", "id" : "2451662", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451662" }, "cvss3" : { "cvss3_base_score" : "6.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nicmp: fix NULL pointer dereference in icmp_tag_validation()\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nRIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\nCall Trace:\n\nicmp_rcv (net/ipv4/icmp.c:1527)\nip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\nip_local_deliver_finish (net/ipv4/ip_input.c:242)\nip_local_deliver (net/ipv4/ip_input.c:262)\nip_rcv (net/ipv4/ip_input.c:573)\n__netif_receive_skb_one_core (net/core/dev.c:6164)\nprocess_backlog (net/core/dev.c:6628)\nhandle_softirqs (kernel/softirq.c:561)\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation.", "A flaw was found in the Linux kernel. A remote attacker could trigger a kernel panic, leading to a Denial of Service (DoS), by sending a specially crafted Internet Control Message Protocol (ICMP) Fragmentation Needed error. This occurs when the system is configured for hardened Path Maximum Transmission Unit (PMTU) discovery mode and the ICMP error contains an inner IP header with an unregistered protocol number, causing a null pointer dereference." ], "statement" : "This vulnerability requires the non-default kernel configuration ip_no_pmtu_disc=3 (hardened PMTU mode). Systems using the default PMTU discovery settings are not affected. While the attack is remotely triggerable via crafted ICMP packets, the specific configuration requirement significantly reduces the attack surface in typical deployments.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23398\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23398\nhttps://lore.kernel.org/linux-cve-announce/2026032634-CVE-2026-23398-df1e@gregkh/T" ], "name" : "CVE-2026-23398", "mitigation" : { "value" : "Ensure ip_no_pmtu_disc is not set to 3. Check with: sysctl net.ipv4.ip_no_pmtu_disc. Values 0, 1, or 2 are not affected. If using value 3, consider temporarily switching to value 1 until a kernel update is applied.", "lang" : "en:us" }, "csaw" : false }