CVE-2026-23398

CVE-2026-23398: NULL Pointer Dereference in Linux ICMP Validation

Verified by Precogs Threat Research
Last Updated: Mar 26, 2026
Base Score
HIGH

Executive Summary

CVE-2026-23398 is a high severity vulnerability affecting software systems. It is classified as NULL Pointer Dereference. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.

Precogs AI Insight

"Precogs AI detected this vulnerability pattern in NULL Pointer Dereference implementations. The pattern deviates from documented secure coding standards, suggesting a high likelihood of exploitation if unpatched."

Exploit Probability (EPSS)
Low (0.0%)
Public POC
Undisclosed
Exploit Probability
Elevated (52%)
Public POC
Available
Affected Assets
CWE-476

Summary

A high-severity NULL pointer dereference vulnerability (CVE-2026-23398) has been identified in the Linux kernel's ICMP subsystem. The icmp_tag_validation() function unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL (CWE-476).

Technical Details

The issue is classified under CWE-476 (NULL Pointer Dereference). The icmp_tag_validation() function is responsible for validating ICMP packet tags against registered protocol handlers. It uses rcu_dereference() to look up the protocol handler in the inet_protos array, but proceeds to dereference the returned pointer without verifying it is non-NULL.

When an ICMP packet references a protocol number that has no registered handler (i.e., the inet_protos[proto] slot is NULL), the unconditional dereference triggers a kernel oops or panic, depending on the kernel configuration.

Exploitation Context

  • Vector: Remote / Network-based
  • Authentication: Not required
  • Complexity: Low
  • Impact: High (Availability — immediate kernel panic)

ICMP is a fundamental network protocol that cannot be easily blocked without breaking essential network diagnostics (ping, traceroute, PMTUD). This makes the vulnerability particularly dangerous for internet-facing servers.

Remediation

Linux administrators should immediately:

  1. Apply the latest kernel patch that adds a NULL check after rcu_dereference(inet_protos[proto]) before proceeding with validation.
  2. Deploy network-level ICMP rate limiting using iptables or nftables to reduce the attack surface while patching is in progress.
  3. Monitor kernel logs (dmesg) for oops messages related to icmp_tag_validation that may indicate active exploitation attempts.

Precogs AI Integration

The Precogs AI Binary Security Platform analyzes compiled kernel modules for NULL pointer dereference conditions by tracing RCU-protected pointer lookups and verifying that NULL guards are present before every dereference operation, catching CWE-476 patterns in kernel network code paths.

Vulnerability Code Signature

Attack Data Flow

StageDetail
SourceMemory allocation or pointer return value
VectorPointer is accessed without checking if it is NULL
SinkPointer dereference
ImpactDenial of service (crash)

Vulnerable Code Pattern

// ❌ VULNERABLE: NULL Pointer Dereference
void process_data() {
    char *buffer = malloc(1024);
    // Taint sink: accessing pointer without NULL check
    buffer[0] = 'A';
}

Secure Code Pattern

// ✅ SECURE: NULL check
void process_data() {
    char *buffer = malloc(1024);
    // Sanitized validation
    if (buffer != NULL) {
        buffer[0] = 'A';
    }
}

How Precogs Detects This

Precogs Binary SAST engine identifies missing pointer validation and complex state transitions in compiled binaries.\n

Supplemental Intelligence & References

🔗 External References

Related Vulnerabilitiesvia CWE-476

Is your system affected?

Precogs AI detects CVE-2026-23398 in compiled binaries, LLMs, and application layers — even without source code access.

Request Deep AnalysisBook a demo