Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL deref in mesh_matches_local()

mesh_matches_local() unconditionally dereferences ie->mesh_config to
compare mesh configuration parameters. When called from
mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
kernel NULL pointer dereference.

The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
calling mesh_matches_local()
- mesh_plink_get_event() is only reached through
mesh_process_plink_frame(), which checks !elems->mesh_config, too

mesh_rx_csa_frame() is the only caller that passes raw parsed elements
to mesh_matches_local() without guarding mesh_config. An adjacent
attacker can exploit this by sending a crafted CSA action frame that
includes a valid Mesh ID IE but omits the Mesh Configuration IE,
crashing the kernel.

The captured crash log:

Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events_unbound cfg80211_wiphy_work
[...]
Call Trace:
<TASK>
? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
[...]
ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
[...]
cfg80211_wiphy_work (net/wireless/core.c:426)
process_one_work (net/kernel/workqueue.c:3280)
? assign_work (net/kernel/workqueue.c:1219)
worker_thread (net/kernel/workqueue.c:3352)
? __pfx_worker_thread (net/kernel/workqueue.c:3385)
kthread (net/kernel/kthread.c:436)
[...]
ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
</TASK>

This patch adds a NULL check for ie->mesh_config at the top of
mesh_matches_local() to return false early when the Mesh Configuration
IE is absent.
Published: 2026-03-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service ‑ kernel crash
Action: Apply patch
AI Analysis

Impact

The defect causes a kernel NULL pointer dereference when a Mesh Configuration Element is missing from a received CSA action frame. An attacker can craft such a frame to trigger the crash, resulting in a denial of service as the kernel panics. The weakness is a classic NULL dereference (CWE‑476).

Affected Systems

All Linux kernel implementations that use the mac80211 wireless stack and provide mesh operation are potentially affected. The vulnerability exists in code that predates the patch adding the NULL check; any kernel configuration with this code path is at risk until the patch is applied.

Risk and Exploitability

The risk is moderate because exploitation requires the ability to inject a malformed CSA frame into the target wireless network. EPSS indicates a very low likelihood of exploitation (<1%) and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread use. Nevertheless, a single crash will bring the affected system down until reboot, and the bug is trivial to exploit with an appropriate radio transmitter, making it a useful vector for denial of service in hostile environments.

Generated by OpenCVE AI on March 26, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds a NULL check in mesh_matches_local()
  • Upgrade the kernel to a release containing the patch, or rebuild the kernel with the patch applied
  • Verify that the kernel version is at least as recent as the commit that introduced the fix
  • If patching is not immediately possible, disable or restrict mesh functionality to prevent processing of CSA frames

Generated by OpenCVE AI on March 26, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 26 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.
Title wifi: mac80211: fix NULL deref in mesh_matches_local()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-26T10:22:49.287Z

Reserved: 2026-01-13T15:37:46.011Z

Link: CVE-2026-23396

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T11:16:18.750

Modified: 2026-03-26T11:16:18.750

Link: CVE-2026-23396

cve-icon Redhat

Severity :

Publid Date: 2026-03-26T00:00:00Z

Links: CVE-2026-23396 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:50Z

Weaknesses