PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23398 Linux CVE debrief

The Linux kernel was vulnerable to a NULL pointer dereference in the icmp_tag_validation() function. This issue arises when the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number. The vulnerability has been resolved with the addition of a NULL check before accessing icmp_strict_tag_validation. The vulnerability affects Linux kernel versions 3.14.1 to 6.19.10, and 7.0 rc1 to rc7.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-26
Original CVE updated
2026-07-14
Advisory published
2026-03-26
Advisory updated
2026-07-14

Who should care

System administrators and users of Linux kernel versions 3.14.1 to 6.19.10, and 7.0 rc1 to rc7, should be aware of this vulnerability and ensure their systems are updated with the latest kernel patches. This vulnerability can be exploited by attackers to cause a kernel panic in softirq context.

Technical summary

The icmp_tag_validation() function in the Linux kernel unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. This can cause a kernel panic in softirq context when the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number. The vulnerability has been fixed by adding a NULL check before accessing icmp_strict_tag_validation. System administrators should be aware of this vulnerability and ensure their systems are updated with the latest kernel patches.

Defensive priority

Medium priority should be given to patching this vulnerability, especially for systems that handle ICMP traffic and have hardened PMTU mode enabled.

Recommended defensive actions

  • Apply the latest Linux kernel patches to ensure the NULL check is in place.
  • Review and update system configurations to prevent exposure to unregistered protocol numbers.
  • Monitor ICMP traffic for potential exploitation attempts.
  • Perform a thorough review of the system to identify potential vulnerabilities.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-03-26T11:16:19.910Z and last modified on 2026-07-14T13:18:32.647Z. The NVD entry is currently Modified. This vulnerability affects Linux kernel versions 3.14.1 to 6.19.10, and 7.0 rc1 to rc7. There is no information on known ransomware campaign use. The CVE record was created based on the supplied source corpus and has not been modified since then.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-26T11:16:19.910Z and has not been modified since then. The NVD entry is currently Modified.