CVE-2026-23396

Published: Mar 26, 2026 Last Modified: Mar 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL deref in mesh_matches_local()

mesh_matches_local() unconditionally dereferences ie->mesh_config to
compare mesh configuration parameters. When called from
mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
kernel NULL pointer dereference.

The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
calling mesh_matches_local()
- mesh_plink_get_event() is only reached through
mesh_process_plink_frame(), which checks !elems->mesh_config, too

mesh_rx_csa_frame() is the only caller that passes raw parsed elements
to mesh_matches_local() without guarding mesh_config. An adjacent
attacker can exploit this by sending a crafted CSA action frame that
includes a valid Mesh ID IE but omits the Mesh Configuration IE,
crashing the kernel.

The captured crash log:

Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events_unbound cfg80211_wiphy_work
[...]
Call Trace:
<TASK>
? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
[...]
ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
[...]
cfg80211_wiphy_work (net/wireless/core.c:426)
process_one_work (net/kernel/workqueue.c:3280)
? assign_work (net/kernel/workqueue.c:1219)
worker_thread (net/kernel/workqueue.c:3352)
? __pfx_worker_thread (net/kernel/workqueue.c:3385)
kthread (net/kernel/kthread.c:436)
[...]
ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
</TASK>

This patch adds a NULL check for ie->mesh_config at the top of
mesh_matches_local() to return false early when the Mesh Configuration
IE is absent.

AI Generated Translation

Nel kernel Linux è stata risolta la seguente vulnerabilità:

wifi: mac80211: correzione NULL deref in mesh_matches_local()

mesh_matches_local() dereferenzia in modo incondizionato ie->mesh_config per confrontare i parametri di configurazione mesh. Quando viene chiamata da mesh_rx_csa_frame(), gli elementi dell’action-frame analizzati potrebbero non contenere un Mesh Configuration IE, lasciando ie->mesh_config a NULL e provocando un kernel NULL pointer dereference.

Gli altri due chiamanti sono già sicuri:
- ieee80211_mesh_rx_bcn_presp() verifica !elems->mesh_config prima di chiamare mesh_matches_local()
- mesh_plink_get_event() viene raggiunto solo tramite mesh_process_plink_frame(), che verifica anch’esso !elems->mesh_config

mesh_rx_csa_frame() è l’unico chiamante che passa elementi analizzati grezzi a mesh_matches_local() senza verificare mesh_config. Un attaccante nelle vicinanze può sfruttare questa situazione inviando un frame di azione CSA manipolato che include un Mesh ID IE valido ma omette il Mesh Configuration IE, causando il crash del kernel.

Il log di crash catturato:

Questa patch aggiunge un controllo NULL per ie->mesh_config all’inizio di mesh_matches_local() per restituire false in modo anticipato quando il Mesh Configuration IE è assente.