{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23279","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.992Z","datePublished":"2026-03-25T10:26:39.994Z","dateUpdated":"2026-05-11T22:03:47.541Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:03:47.541Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n    ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n    ...\n    pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs.  It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE.  No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n  CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mac80211/mesh.c"],"versions":[{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"753ad20dcbe36b67088c7770d8fc357d7cc43e08","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"f061336f072ab03fd29270ae61fede46bf8fd69d","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"22a9adea7e26d236406edc0ea00b54351dd56b9c","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"f5d8af683410a8c82e48b51291915bd612523d9a","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"cc6d5a3c0a854aeae00915fc5386570c86029c60","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"be8b82c567fda86f2cbb43b7208825125bb31421","status":"affected","versionType":"git"},{"version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","lessThan":"017c1792525064a723971f0216e6ef86a8c7af11","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/mac80211/mesh.c"],"versions":[{"version":"3.13","status":"affected"},{"version":"0","lessThan":"3.13","status":"unaffected","versionType":"semver"},{"version":"5.10.253","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.203","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.77","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.17","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.7","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.10.253"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"5.15.203"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.12.77"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.18.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.19.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08"},{"url":"https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d"},{"url":"https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"},{"url":"https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"},{"url":"https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"},{"url":"https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"},{"url":"https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"},{"url":"https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"}],"title":"wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()","x_generator":{"engine":"bippy-1.2.0"}}}}