—

CVE-2026-23396PATCHED

Linux kernel · mac80211

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compar

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.

Affected Products

Vendor	Product	Versions
Linux kernel	mac80211	2.6.26, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0-rc5

References

Related News (3 articles)

Tier B

CERT-FR8d ago

Multiples vulnérabilités dans les produits Microsoft (30 mars 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC11d ago

CVE-2026-23396 wifi: mac80211: fix NULL deref in mesh_matches_local()

→ No new info (linked only)

Tier C

Linux Kernel CVEs12d ago

CVE-2026-23396: wifi: mac80211: fix NULL deref in mesh_matches_local()

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

6.1.167

CWECWE-476

PublishedMar 26, 2026

Last enriched5d agov2

Trending Score12

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-23398

In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_d

Trending: 40

HIGHCVE-2026-23408

apparmor: Fix double free of ns_name in aa_replace_profiles()

Trending: 12

HIGHCVE-2026-23407

apparmor: fix missing bounds check on DEFAULT table in verify_dfa()

Trending: 12

HIGHCVE-2026-23410

apparmor: fix race on rawdata dereference

Trending: 12

HIGHCVE-2026-23411

apparmor: fix race between freeing data and fs accessing it

Trending: 12

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 26, 2026

Patch Available

Mar 30, 2026

Discovered by ZDM

Apr 1, 2026

Updated: vendor, product, affectedVersions, patchAvailable

Apr 1, 2026

Version History

Last enriched 5d ago

v2Tier C5d ago

Added vendor and product information, updated affected versions, severity to HIGH, and marked the vulnerability as actively exploited with a patch available.

vendorproductaffectedVersionspatchAvailable

via Linux Kernel CVEs

v15d ago

Initial creation