In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL deref in mesh_matches_local()
mesh_matches_local() unconditionally dereferences ie->mesh_config to
compare mesh configuration parameters. When called from
mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
kernel NULL pointer dereference.
The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
calling mesh_matches_local()
- mesh_plink_get_event() is only reached through
mesh_process_plink_frame(), which checks !elems->mesh_config, too
mesh_rx_csa_frame() is the only caller that passes raw parsed elements
to mesh_matches_local() without guarding mesh_config. An adjacent
attacker can exploit this by sending a crafted CSA action frame that
includes a valid Mesh ID IE but omits the Mesh Configuration IE,
crashing the kernel.
The captured crash log:
Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events_unbound cfg80211_wiphy_work
[...]
Call Trace:
<TASK>
? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
[...]
ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
[...]
cfg80211_wiphy_work (net/wireless/core.c:426)
process_one_work (net/kernel/workqueue.c:3280)
? assign_work (net/kernel/workqueue.c:1219)
worker_thread (net/kernel/workqueue.c:3352)
? __pfx_worker_thread (net/kernel/workqueue.c:3385)
kthread (net/kernel/kthread.c:436)
[...]
ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
</TASK>
This patch adds a NULL check for ie->mesh_config at the top of
mesh_matches_local() to return false early when the Mesh Configuration
IE is absent.
References
Configurations
Configuration 1 (hide)
|
History
24 Apr 2026, 15:18
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Linux
Linux linux Kernel |
|
| CPE | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:2.6.26:-:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
|
| References | () https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813 - Patch | |
| References | () https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64 - Patch | |
| References | () https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d - Patch | |
| References | () https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568 - Patch | |
| References | () https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116 - Patch | |
| References | () https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004 - Patch | |
| References | () https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c - Patch | |
| References | () https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd - Patch | |
| CWE | CWE-476 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
18 Apr 2026, 09:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
30 Mar 2026, 13:26
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
26 Mar 2026, 11:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-26 11:16
Updated : 2026-04-24 15:18
NVD link : CVE-2026-23396
Mitre link : CVE-2026-23396
CVE.ORG link : CVE-2026-23396
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-476
NULL Pointer Dereference