Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-26 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before 14a4fd13657a3f2489db6566f081adfb27a49c64
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before 74de6fa472b03bc8cde0a081484e9960bcbda568
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before c1e3f2416fb27c816ce96d747d3e784e31f4d95c
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before 0a4da176ae4b4e075a19c00d3e269cfd5e05a813
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before 44699c6cdfce80a0f296b54ae9314461e3e41b3d
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before 7c55a3deaf7eaaafa2546f8de7fed19382a0a116
affected

2e3c8736820bf72a8ad10721c7e31d36d4fa7790 (git) before c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd
affected

Default status
affected

2.6.26
affected

Any version before 2.6.26
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.20 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/14a4fd13657a3f2489db6566f081adfb27a49c64

git.kernel.org/...c/74de6fa472b03bc8cde0a081484e9960bcbda568

git.kernel.org/...c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c

git.kernel.org/...c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813

git.kernel.org/...c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004

git.kernel.org/...c/44699c6cdfce80a0f296b54ae9314461e3e41b3d

git.kernel.org/...c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116

git.kernel.org/...c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd

cve.org (CVE-2026-23396)

nvd.nist.gov (CVE-2026-23396)

Download JSON