Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()

In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
at lines 1638 and 1642 without a prior NULL check:

ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
...
pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);

The mesh_matches_local() check above only validates the Mesh ID,
Mesh Configuration, and Supported Rates IEs. It does not verify the
presence of the Mesh Channel Switch Parameters IE (element ID 118).
When a received CSA action frame omits that IE, ieee802_11_parse_elems()
leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
dereference causes a kernel NULL pointer dereference.

A remote mesh peer with an established peer link (PLINK_ESTAB) can
trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
that includes a matching Mesh ID and Mesh Configuration IE but omits the
Mesh Channel Switch Parameters IE. No authentication beyond the default
open mesh peering is required.

Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:

BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: Oops: 0000 [#1] SMP NOPTI
RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
CR2: 0000000000000000

Fix by adding a NULL check for mesh_chansw_params_ie after
mesh_matches_local() returns, consistent with how other optional IEs
are guarded throughout the mesh code.

The bug has been present since v3.13 (released 2014-01-19).
Published: 2026-03-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash causing denial of service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a null pointer dereference in the mac80211 mesh channel switch frame handling. When a mesh peer receives a crafted channel switch action frame that omits the optional Mesh Channel Switch Parameters element, the kernel dereferences a NULL pointer and crashes. The weakness is a classic null dereference (CWE‑476). The result is a kernel panic that brings the host down, creating a denial‑of‑service condition. No privilege or authentication is needed beyond an established open mesh link.

Affected Systems

This flaw exists in the Linux kernel for all releases since version 3.13. The bug was confirmed on kernel 6.17.0‑5‑generic and affects any system that uses the mac80211 subsystem with wireless mesh support. The affected products are identified as “Linux: Linux Kernel” and are represented by the CPE string “cpe:2.3:o:linux:linux_kernel:*:…”. Every installation of the kernel that contains mac80211 and has mesh enabled is potentially vulnerable unless patched.

Risk and Exploitability

The probability of exploitation, according to EPSS, is less than 1 % and the vulnerability does not appear in CISA’s KEV catalog, indicating a low likelihood of widespread attack. Nevertheless, the impact of a kernel crash is severe. An attacker would need to establish a mesh link with the target and send a malicious channel‑switch action frame; no additional authentication is required. Because the flaw is a kernel panic, the path to exploitation is straightforward, but because it is limited to wireless mesh traffic, the attack surface is more niche. The official patch adds a NULL check and is available in the latest kernel releases, so the recommended mitigation is to update the kernel as soon as possible.

Generated by OpenCVE AI on March 26, 2026 at 02:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Linux kernel update that includes the mac80211 patch for mesh_rx_csa_frame()
  • Verify that wireless mesh or mac80211 features are enabled only if required
  • If unable to update immediately, consider disabling the mesh interface or the 802.11s feature to eliminate the attack vector

Generated by OpenCVE AI on March 26, 2026 at 02:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference. A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required. Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000 Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code. The bug has been present since v3.13 (released 2014-01-19).
Title wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:35.221Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23279

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:22.333

Modified: 2026-04-18T09:16:16.163

Link: CVE-2026-23279

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23279 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:17:38Z

Weaknesses