{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23279", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:39.994Z", "dateUpdated": "2026-03-25T10:26:39.994Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:39.994Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "22a9adea7e26d236406edc0ea00b54351dd56b9c", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "f5d8af683410a8c82e48b51291915bd612523d9a", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "cc6d5a3c0a854aeae00915fc5386570c86029c60", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "be8b82c567fda86f2cbb43b7208825125bb31421", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "017c1792525064a723971f0216e6ef86a8c7af11", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "3.13", "status": "affected"}, {"version": "0", "lessThan": "3.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"}, {"url": "https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"}, {"url": "https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"}, {"url": "https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"}, {"url": "https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"}, {"url": "https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"}], "title": "wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}], "id": "CVE-2026-23279", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:22.333", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T12:07:34.361637+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the NULL pointer dereference fix \u2013 for example, kernel 6.18 or newer where the patch has been merged.", "Verify that your distribution\u2019s package repository provides the updated kernel; if using a custom or frozen kernel, apply the specific commit(s) referenced in the advisory.", "If a kernel update cannot be applied immediately, consider disabling open mesh networking on affected hosts or isolating them from the wireless mesh network to prevent the crafted action frame from reaching them."], "summary": {"action": "Apply patch", "impact": "Denial of Service via kernel crash"}, "threat_synthesis": {"affected_systems": "This issue exists in all Linux kernel versions containing the mac80211 code from 3.13 onward. Any distribution kernel that enables the open mesh networking feature is affected. The problem is not limited by vendor identity, as the affected code is part of the public kernel source.", "description_and_impact": "The Linux kernel\u2019s mac80211 subsystem processes Mesh Channel Switch action frames. A missing Mesh Channel Switch Parameters IE can cause a NULL pointer dereference during parsing, leading to a kernel crash. The crash does not execute arbitrary code but results in a denial of service by interrupting kernel operation and potentially rendering the host non\u2011responsive.", "risk_and_exploitability": "An attacker who can transmit a crafted 802.11 spectrum management frame to a host on an open mesh network can trigger the crash when a peer link is established. No special authentication or privileged network access is required beyond the default open mesh mode. Because the attack occurs over the wireless medium, proximity or the presence of a nearby mesh node may be necessary. The CVSS score is not listed in the data, and EPSS is unavailable, but the impact is a clear denial of service. The vulnerability is not part of CISA\u2019s KEV catalog, suggesting no widespread public exploitation reports to date."}}}}, "created": "2026-03-25T21:15:51.238010+00:00", "updated": "2026-03-25T21:15:51.238034+00:00", "vendors": [], "weaknesses": ["CWE-476"]}