CVE-2026-23396 - Vulnerability Details

- wifi: mac80211: fix NULL deref in mesh_matches_local()

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL deref in mesh_matches_local()

mesh_matches_local() unconditionally dereferences ie->mesh_config to
compare mesh configuration parameters. When called from
mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
kernel NULL pointer dereference.

The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
calling mesh_matches_local()
- mesh_plink_get_event() is only reached through
mesh_process_plink_frame(), which checks !elems->mesh_config, too

mesh_rx_csa_frame() is the only caller that passes raw parsed elements
to mesh_matches_local() without guarding mesh_config. An adjacent
attacker can exploit this by sending a crafted CSA action frame that
includes a valid Mesh ID IE but omits the Mesh Configuration IE,
crashing the kernel.

The captured crash log:

Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events_unbound cfg80211_wiphy_work
[...]
Call Trace:
<TASK>
? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
[...]
ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
[...]
cfg80211_wiphy_work (net/wireless/core.c:426)
process_one_work (net/kernel/workqueue.c:3280)
? assign_work (net/kernel/workqueue.c:1219)
worker_thread (net/kernel/workqueue.c:3352)
? __pfx_worker_thread (net/kernel/workqueue.c:3385)
kthread (net/kernel/kthread.c:436)
[...]
ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
</TASK>

This patch adds a NULL check for ie->mesh_config at the top of
mesh_matches_local() to return false early when the Mesh Configuration
IE is absent.

Published: 2026-03-26

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue originates from an unchecked dereference of the Mesh Configuration element within the mesh_matches_local function in the Linux kernel’s mac80211 subsystem. When a CSA action frame is received that contains a Mesh ID IE but omits the Mesh Configuration IE, the function dereferences a null pointer, triggering a kernel panic. This constitutes a denial‑of‑service vulnerability and falls under CWE-476.

Affected Systems

All Linux kernels that include the mac80211 mesh networking stack are impacted. The affected vendors list only "Linux" and no specific version numbers are provided, so any kernel build that predates the patch that adds a null check is vulnerable. This includes typical distributions that ship the upstream kernel.

Risk and Exploitability

The EPSS score is reported as < 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. The likely attack vector is a remote wireless adversary that can transmit a crafted CSA action frame. Based on the description, the attacker can send a frame that includes a Mesh ID IE while omitting the Mesh Configuration IE, causing the null dereference. Exploitation requires the device to have mesh networking enabled and the ability to process malformed CSA frames, which limits the attack surface to wireless interfaces exposing the mesh feature.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< 14a4fd13657a3f2489db6566f081adfb27a49c64
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< 74de6fa472b03bc8cde0a081484e9960bcbda568
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< c1e3f2416fb27c816ce96d747d3e784e31f4d95c
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< 0a4da176ae4b4e075a19c00d3e269cfd5e05a813
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< 44699c6cdfce80a0f296b54ae9314461e3e41b3d
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< 7c55a3deaf7eaaafa2546f8de7fed19382a0a116
`2e3c8736820bf72a8ad10721c7e31d36d4fa7790`	affected	< c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd

Linux

affected

Version	Status	Constraints
`2.6.26`	affected	—
`0`	unaffected	< 2.6.26
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,c1e3f2416fb27c816ce96d747d3e784e31f4d95c)`	affected	code_commit	—
`[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,0a4da176ae4b4e075a19c00d3e269cfd5e05a813)`	affected	code_commit	—
`[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004)`	affected	code_commit	—
`[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,44699c6cdfce80a0f296b54ae9314461e3e41b3d)`	affected	code_commit	—
`[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,7c55a3deaf7eaaafa2546f8de7fed19382a0a116)`	affected	code_commit	—
`[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.26`	affected	semver	—
`[0,2.6.26)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,7.0.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the patch for mesh_matches_local.
If an update is not immediately available, disable mesh networking on vulnerable devices to remove the trigger point.
Verify the kernel version or patch status on affected hosts to confirm the vulnerability is resolved.
Monitor system logs for general protection faults, KASAN null pointer dereferences, or kernel panics that may indicate an attempted exploitation.

Generated by OpenCVE AI on March 27, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813
https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64
https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d
https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568
https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116
https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c
https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd
https://lore.kernel.org/linux-cve-announce/2026032631-CVE-2026-23396-6447@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23396
https://www.cve.org/CVERecord?id=CVE-2026-23396

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64 https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568

Fri, 27 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026032631-CVE-2026-23396-6447@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23396 https://www.cve.org/CVERecord?id=CVE-2026-23396

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 26 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.
Title		wifi: mac80211: fix NULL deref in mesh_matches_local()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813 https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116 https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004 https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-26T10:22:49.287Z

Updated: 2026-04-18T08:58:31.018Z

Reserved: 2026-01-13T15:37:46.011Z

Link: CVE-2026-23396

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-26T11:16:18.750

Modified: 2026-04-18T09:16:23.650

Link: CVE-2026-23396

Redhat

Severity :

Publid Date: 2026-03-26T00:00:00Z

Links: CVE-2026-23396 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T15:47:38Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object