CVE-2026-23398

In the Linux kernel, the following vulnerability has been resolved:

icmp: fix NULL pointer dereference in icmptagvalidation()

icmptagvalidation() unconditionally dereferences the result of rcudereference(inetprotos[proto]) without checking for NULL. The inetprotos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ipnopmtudisc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmpunreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmprcv (net/ipv4/icmp.c:1527) ipprotocoldeliverrcu (net/ipv4/ipinput.c:207) iplocaldeliverfinish (net/ipv4/ipinput.c:242) iplocaldeliver (net/ipv4/ipinput.c:262) iprcv (net/ipv4/ip_input.c:573) __netifreceiveskbonecore (net/core/dev.c:6164) processbacklog (net/core/dev.c:6628) handlesoftirqs (kernel/softirq.c:561) </IRQ>

Add a NULL check before accessing icmpstricttag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.