{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23398", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.012Z", "datePublished": "2026-03-26T10:22:50.606Z", "dateUpdated": "2026-05-11T22:06:08.296Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:08.296Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n <IRQ>\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n </IRQ>\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/icmp.c"], "versions": [{"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "571d9d7b650f02d1e38c01128817868bceac9edd", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "d783fa413c702ff0f8f8bea63f862e28eeaf39e3", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "b61529c357f1ee4d64836eb142a542d2e7ad67ce", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "9647e99d2a617c355d2b378be0ff6d0e848fd579", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "d938dd5a0ad780c891ea3bc94cae7405f11e618a", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "1e4e2f5e48cec0cccaea9815fb9486c084ba41e2", "status": "affected", "versionType": "git"}, {"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e", "lessThan": "614aefe56af8e13331e50220c936fc0689cf5675", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/icmp.c"], "versions": [{"version": "3.14", "status": "affected"}, {"version": "0", "lessThan": "3.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd"}, {"url": "https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3"}, {"url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"}, {"url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"}, {"url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"}, {"url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"}, {"url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"}, {"url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"}], "title": "icmp: fix NULL pointer dereference in icmp_tag_validation()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96775134-B6E9-42CE-A367-9B4C33EFBF22", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.14:-:*:*:*:*:*:*", "matchCriteriaId": "851B1505-0318-49F4-8D7C-196BE04FF173", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n <IRQ>\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n </IRQ>\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nicmp: soluciona la desreferencia de puntero NULL en icmp_tag_validation()\n\nicmp_tag_validation() desreferencia incondicionalmente el resultado de rcu_dereference(inet_protos[proto]) sin comprobar si es NULL. El array inet_protos[] es disperso -- solo unos 15 de 256 n\u00fameros de protocolo tienen gestores registrados. Cuando ip_no_pmtu_disc se establece en 3 (modo PMTU endurecido) y el kernel recibe un error ICMP Fragmentation Needed con una cabecera IP interna citada que contiene un n\u00famero de protocolo no registrado, la desreferencia NULL causa un p\u00e1nico del kernel en contexto de softirq.\n\n Oops: fallo de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: desreferencia de puntero nulo en el rango [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Traza de Llamada:\n \n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n \n\nA\u00f1adir una comprobaci\u00f3n de NULL antes de acceder a icmp_strict_tag_validation. Si el protocolo no tiene un gestor registrado, devolver falso ya que no puede realizar una validaci\u00f3n estricta de etiquetas."}], "id": "CVE-2026-23398", "lastModified": "2026-04-24T15:17:53.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T11:16:19.910", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/571d9d7b650f02d1e38c01128817868bceac9edd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d783fa413c702ff0f8f8bea63f862e28eeaf39e3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: icmp: fix NULL pointer dereference in icmp_tag_validation()", "id": "2451662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451662"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nicmp: fix NULL pointer dereference in icmp_tag_validation()\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nRIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\nCall Trace:\n<IRQ>\nicmp_rcv (net/ipv4/icmp.c:1527)\nip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\nip_local_deliver_finish (net/ipv4/ip_input.c:242)\nip_local_deliver (net/ipv4/ip_input.c:262)\nip_rcv (net/ipv4/ip_input.c:573)\n__netif_receive_skb_one_core (net/core/dev.c:6164)\nprocess_backlog (net/core/dev.c:6628)\nhandle_softirqs (kernel/softirq.c:561)\n</IRQ>\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation.", "A flaw was found in the Linux kernel. A remote attacker could trigger a kernel panic, leading to a Denial of Service (DoS), by sending a specially crafted Internet Control Message Protocol (ICMP) Fragmentation Needed error. This occurs when the system is configured for hardened Path Maximum Transmission Unit (PMTU) discovery mode and the ICMP error contains an inner IP header with an unregistered protocol number, causing a null pointer dereference."], "mitigation": {"lang": "en:us", "value": "Ensure ip_no_pmtu_disc is not set to 3. Check with: sysctl net.ipv4.ip_no_pmtu_disc. Values 0, 1, or 2 are not affected. If using value 3, consider temporarily switching to value 1 until a kernel update is applied."}, "name": "CVE-2026-23398", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23398\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23398\nhttps://lore.kernel.org/linux-cve-announce/2026032634-CVE-2026-23398-df1e@gregkh/T"], "statement": "This vulnerability requires the non-default kernel configuration ip_no_pmtu_disc=3 (hardened PMTU mode). Systems using the default PMTU discovery settings are not affected. While the attack is remotely triggerable via crafted ICMP packets, the specific configuration requirement significantly reduces the attack surface in typical deployments.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e,1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e,b61529c357f1ee4d64836eb142a542d2e7ad67ce)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e,9647e99d2a617c355d2b378be0ff6d0e848fd579)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e,d938dd5a0ad780c891ea3bc94cae7405f11e618a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e,1e4e2f5e48cec0cccaea9815fb9486c084ba41e2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e,614aefe56af8e13331e50220c936fc0689cf5675)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:56:24.288100+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that includes the fix for CVE-2026-23398.", "If upgrading is not immediately possible, disable hardened PMTU discovery by setting net.ipv4.ip_no_pmtu_disc to 0.", "Monitor system logs for kernel oops or hard\u2011panic messages and adjust firewall rules to block suspicious ICMP traffic."], "summary": {"action": "Immediate Patch", "impact": "Kernel Crash / Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the unpatched icmp_tag_validation implementation are affected, specifically the kernel versions enumerated in the CVE such as 3.14 and 7.0 release candidates from rc1 through rc7, as indicated by the listed CPEs. The defect is part of the standard IPv4 ICMP handling code, so these kernel versions are at risk until the patch is applied.", "description_and_impact": "The flaw stems from an unconditional dereference of a possibly null protocol handler within icmp_tag_validation. When the kernel is configured for hardened Path MTU Discovery (ip_no_pmtu_disc set to 3) and receives an ICMP Fragmentation Needed message that quotes an inner IP header using an unregistered protocol number, the null pointer dereference triggers a kernel panic during softirq processing. This leads to a complete loss of service for the affected host and can be triggered remotely via the network stack.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.5, indicating moderate severity, and an EPSS score below 1%, implying a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack requires only the ability to send crafted ICMP packets to a host with hardened PMTU enabled, which is a remote network\u2011based attack vector. Although not considered widely exploited, an attacker who can reach the target could cause a crash and disrupt availability."}}}}, "created": "2026-03-26T12:08:08.100648+00:00", "updated": "2026-04-28T22:00:14.167007+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}