CVE-2026-23279

MEDIUM EPSS 3.4%
Published Mar 25, 20263mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 25, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference. A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required. Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000 Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code. The bug has been present since v3.13 (released 2014-01-19).

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥3.13  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.77
linuxlinux_kernel*≥6.13  –  <6.18.17
linuxlinux_kernel*≥6.19  –  <6.19.7
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a
    Patch