{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23396", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-26T10:22:49.287Z", "dateUpdated": "2026-03-26T10:22:49.287Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-26T10:22:49.287Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems->mesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n <TASK>\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n </TASK>\n\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "c1e3f2416fb27c816ce96d747d3e784e31f4d95c", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "0a4da176ae4b4e075a19c00d3e269cfd5e05a813", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "44699c6cdfce80a0f296b54ae9314461e3e41b3d", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "7c55a3deaf7eaaafa2546f8de7fed19382a0a116", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "2.6.26", "status": "affected"}, {"version": "0", "lessThan": "2.6.26", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"}, {"url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"}, {"url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"}, {"url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"}, {"url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"}, {"url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"}], "title": "wifi: mac80211: fix NULL deref in mesh_matches_local()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems->mesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n <TASK>\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n </TASK>\n\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."}], "id": "CVE-2026-23396", "lastModified": "2026-03-26T11:16:18.750", "metrics": {}, "published": "2026-03-26T11:16:18.750", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T11:50:58.756988+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that includes the patch addressing the NULL dereference in mesh_matches_local", "If a kernel upgrade cannot be performed immediately, disable mac80211 mesh networking or block malicious CSA frames via driver or firewall rules", "Verify after the update that the kernel contains the patch by checking the commit hash or the patch metadata", "Monitor system logs for recurrent KASAN null\u2011pointer dereference messages or kernel panics and alert on possible exploitation attempts"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via Kernel Crash"}, "threat_synthesis": {"affected_systems": "All Linux distributions that ship a kernel build before the inclusion of the NULL guard in the mesh_matches_local function are vulnerable. The advisory does not specify exact kernel versions, so users should verify whether their kernel revision predates the commit referenced in the provided patch URLs and consider upgrading to a newer kernel that contains the fix.", "description_and_impact": "The Linux mac80211 wireless module contains a function that compares local mesh configuration data. When processing certain action frames, the function assumes the presence of a Mesh Configuration IE and dereferences it unconditionally. If an attacker sends a malformed CSA frame that includes a Mesh ID IE but omits the Mesh Configuration IE, the function receives a null pointer, triggering a kernel NULL pointer dereference and causing a system crash. This results in a denial of service and potential reboot of the affected device, with the possibility of subsequent privilege escalation if the system restarts without proper security controls.", "risk_and_exploitability": "The advisory does not provide a CVSS score or EPSS chance of exploitation, and it is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote wireless network exploitation through transmission of crafted CSA frames over the air. The condition requires only access to the wireless medium and the ability to inject frames, which is typical for a nearby attacker. The impact is high in terms of availability, as a single exploit can crash the kernel and disrupt services on the affected device."}}}}, "created": "2026-03-26T12:08:09.106966+00:00", "updated": "2026-03-26T12:08:09.106991+00:00", "vendors": [], "weaknesses": ["CWE-476"]}