FKIE_CVE-2026-23396

Vulnerability from fkie_nvd - Published: 2026-03-26 11:16 - Updated: 2026-03-30 13:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local() - mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK> This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie-\u003emesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie-\u003emesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n  - ieee80211_mesh_rx_bcn_presp() checks !elems-\u003emesh_config before\n    calling mesh_matches_local()\n  - mesh_plink_get_event() is only reached through\n    mesh_process_plink_frame(), which checks !elems-\u003emesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n \u003cTASK\u003e\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nThis patch adds a NULL check for ie-\u003emesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: corrige desreferencia de NULL en mesh_matches_local()\n\nmesh_matches_local() desreferencia incondicionalmente ie-\u0026gt;mesh_config para comparar los par\u00e1metros de configuraci\u00f3n de malla. Cuando se llama desde mesh_rx_csa_frame(), los elementos de la trama de acci\u00f3n analizados pueden no contener un IE de Configuraci\u00f3n de Malla, dejando ie-\u0026gt;mesh_config como NULL y desencadenando una desreferencia de puntero NULL del kernel.\n\nLos otros dos llamadores ya son seguros:\n  - ieee80211_mesh_rx_bcn_presp() comprueba !elems-\u0026gt;mesh_config antes de llamar a mesh_matches_local()\n  - mesh_plink_get_event() solo se alcanza a trav\u00e9s de mesh_process_plink_frame(), que tambi\u00e9n comprueba !elems-\u0026gt;mesh_config\n\nmesh_rx_csa_frame() es el \u00fanico llamador que pasa elementos analizados en bruto a mesh_matches_local() sin proteger mesh_config. Un atacante adyacente puede explotar esto enviando una trama de acci\u00f3n CSA manipulada que incluye un IE de ID de Malla v\u00e1lido pero omite el IE de Configuraci\u00f3n de Malla, provocando el fallo del kernel.\n\nEl registro de fallo capturado:\n\nOops: fallo de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica ...\nKASAN: desreferencia de puntero nulo en el rango [0x0000000000000000-0x0000000000000007]\nCola de trabajo: events_unbound cfg80211_wiphy_work\n[...]\nTraza de Llamada:\n \n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \n\nEste parche a\u00f1ade una comprobaci\u00f3n de NULL para ie-\u0026gt;mesh_config al principio de mesh_matches_local() para devolver falso anticipadamente cuando el IE de Configuraci\u00f3n de Malla est\u00e1 ausente."
    }
  ],
  "id": "CVE-2026-23396",
  "lastModified": "2026-03-30T13:26:50.827",
  "metrics": {},
  "published": "2026-03-26T11:16:18.750",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.