CVE-2026-23279
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check:
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference.
A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required.
Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000
Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code.
The bug has been present since v3.13 (released 2014-01-19).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing NULL pointer check in Linux kernel's mesh_rx_csa_frame() allows a remote mesh peer to trigger a kernel crash via a crafted action frame, affecting systems since v3.13.
Vulnerability: NULL pointer dereference in mesh CSA handling
In the Linux kernel's mac80211 subsystem, the function mesh_rx_csa_frame() processes Channel Switch Announcement (CSA) action frames in mesh networks. The function dereferences elems->mesh_chansw_params_ie at lines 1638 and 1642 without first checking if it is NULL. While mesh_matches_local() validates the Mesh ID, Mesh Configuration, and Supported Rates IEs, it does not ensure the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits this IE, the parsing function ieee802_11_parse_elems() leaves the pointer as NULL, leading to an unconditional NULL pointer dereference and a kernel panic [1][4].
Exploitation: Remote trigger from an authenticated mesh peer
An attacker who has established a mesh peer link (PLINK_ESTAB) with a vulnerable system can exploit this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame. The frame must include a matching Mesh ID and Mesh Configuration IE to pass the mesh_matches_local() check, but must deliberately omit the Mesh Channel Switch Parameters IE. No additional authentication beyond default open mesh peering is required. A crash was confirmed on kernel 6.17.0-5-generic using mac80211_hwsim, with the oops showing RIP in ieee80211_mesh_rx_queued_mgmt [1].
Impact: Denial-of-service via kernel crash
Successful exploitation results in a NULL pointer dereference, causing a kernel Oops and effectively a denial-of-service (DoS) condition on the targeted mesh node. The crash disrupts all mesh activities on that node, potentially affecting network connectivity for other mesh peers. No privilege escalation or data exfiltration has been reported.
Mitigation
The fix adds a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded in the mesh code. Patches have been backported to various stable kernel trees. The vulnerability has existed since kernel v3.13 (released 2014-01-19). Affected systems should apply the latest kernel updates from their distribution [2][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11nvd
- git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9cnvd
- git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeabnvd
- git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08nvd
- git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421nvd
- git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60nvd
- git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69dnvd
- git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9anvd
News mentions
0No linked articles in our index yet.