CVE-2026-23396

MEDIUM EPSS 1.8%
Published Mar 26, 20263mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 26, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥2.6.26.1  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.20
linuxlinux_kernel*≥6.19  –  <6.19.10
linuxlinux_kernel2.6.26any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd
    Patch