CVE-2026-23398

Summary

A high-severity NULL pointer dereference vulnerability (CVE-2026-23398) has been identified in the Linux kernel's ICMP subsystem. The icmp_tag_validation() function unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL (CWE-476).

Technical Details

The issue is classified under CWE-476 (NULL Pointer Dereference). The icmp_tag_validation() function is responsible for validating ICMP packet tags against registered protocol handlers. It uses rcu_dereference() to look up the protocol handler in the inet_protos array, but proceeds to dereference the returned pointer without verifying it is non-NULL.

When an ICMP packet references a protocol number that has no registered handler (i.e., the inet_protos[proto] slot is NULL), the unconditional dereference triggers a kernel oops or panic, depending on the kernel configuration.

Exploitation Context

• Vector: Remote / Network-based
• Authentication: Not required
• Complexity: Low
• Impact: High (Availability — immediate kernel panic)

ICMP is a fundamental network protocol that cannot be easily blocked without breaking essential network diagnostics (ping, traceroute, PMTUD). This makes the vulnerability particularly dangerous for internet-facing servers.

Remediation

Linux administrators should immediately:

1. Apply the latest kernel patch that adds a NULL check after rcu_dereference(inet_protos[proto]) before proceeding with validation.
2. Deploy network-level ICMP rate limiting using iptables or nftables to reduce the attack surface while patching is in progress.
3. Monitor kernel logs (dmesg) for oops messages related to icmp_tag_validation that may indicate active exploitation attempts.

Precogs AI Integration

The Precogs AI Binary Security Platform analyzes compiled kernel modules for NULL pointer dereference conditions by tracing RCU-protected pointer lookups and verifying that NULL guards are present before every dereference operation, catching CWE-476 patterns in kernel network code paths.