Exploit for CVE-2026-23398

Name: Exploit for CVE-2026-23398
Rating: 5 (98 reviews)
2026-04-05 | CVSS 5.9
## https://sploitus.com/exploit?id=7AE7B121-B287-5FC3-882E-E33709C2E5BA
# CVE-2026-23398

Linux Kernel `icmp_tag_validation()` NULL Pointer Dereference (Remote DoS)

## Description

`icmp_tag_validation()` in `net/ipv4/icmp.c` dereferences `inet_protos[proto]`
without a NULL check. A remote attacker can send a single crafted ICMP
Fragmentation Needed packet with an unregistered inner protocol number to crash
the kernel in softirq context.

Affected: Linux kernel before commits 614aefe56af8 (mainline) / d938dd5a0ad7 (stable 6.12)

## Usage

```bash
sudo python3 poc.py --target                      # single packet, proto 253
sudo python3 poc.py --target  --proto 252         # alternate unregistered proto
sudo python3 poc.py --target  --count 5           # repeat
```

## Requirements

- Layer 3 adjacency to target (spoofed source IP supported)
- Target: `net.ipv4.ip_no_pmtu_disc = 3` (non-default; required for `icmp_tag_validation()` to be reached)
- Attacker: root, Python 3, Scapy

## References

- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d938dd5a0ad780c891ea3bc94cae7405f11e618a
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=614aefe56af8