{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23279", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:39.994Z", "dateUpdated": "2026-05-11T22:03:47.541Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:47.541Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "753ad20dcbe36b67088c7770d8fc357d7cc43e08", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "f061336f072ab03fd29270ae61fede46bf8fd69d", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "22a9adea7e26d236406edc0ea00b54351dd56b9c", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "f5d8af683410a8c82e48b51291915bd612523d9a", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "cc6d5a3c0a854aeae00915fc5386570c86029c60", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "be8b82c567fda86f2cbb43b7208825125bb31421", "status": "affected", "versionType": "git"}, {"version": "8f2535b92d685c68db4bc699dd78462a646f6ef9", "lessThan": "017c1792525064a723971f0216e6ef86a8c7af11", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "3.13", "status": "affected"}, {"version": "0", "lessThan": "3.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08"}, {"url": "https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d"}, {"url": "https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"}, {"url": "https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"}, {"url": "https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"}, {"url": "https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"}, {"url": "https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"}, {"url": "https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"}], "title": "wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: corrige la desreferencia de puntero NULL en mesh_rx_csa_frame()\n\nEn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie es desreferenciado en las l\u00edneas 1638 y 1642 sin una verificaci\u00f3n de NULL previa:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nLa verificaci\u00f3n mesh_matches_local() anterior solo valida el ID de Malla, la Configuraci\u00f3n de Malla y los IEs de Tasas Soportadas. No verifica la presencia del IE de Par\u00e1metros de Cambio de Canal de Malla (ID de elemento 118). Cuando un frame de acci\u00f3n CSA recibido omite ese IE, ieee802_11_parse_elems() deja elems->mesh_chansw_params_ie como NULL, y la desreferencia incondicional causa una desreferencia de puntero NULL del kernel.\n\nUn par de malla remoto con un enlace de par establecido (PLINK_ESTAB) puede activar esto enviando un frame de acci\u00f3n SPECTRUM_MGMT/CHL_SWITCH manipulado que incluye un ID de Malla y un IE de Configuraci\u00f3n de Malla coincidentes, pero omite el IE de Par\u00e1metros de Cambio de Canal de Malla. No se requiere autenticaci\u00f3n m\u00e1s all\u00e1 del emparejamiento de malla abierta predeterminado.\n\nFallo confirmado en el kernel 6.17.0-5-generic a trav\u00e9s de mac80211_hwsim:\n\n BUG: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nSoluci\u00f3n a\u00f1adiendo una verificaci\u00f3n de NULL para mesh_chansw_params_ie despu\u00e9s de que mesh_matches_local() retorne, consistente con c\u00f3mo otros IEs opcionales son protegidos a lo largo del c\u00f3digo de malla.\n\nEl error ha estado presente desde la v3.13 (lanzada el 19-01-2014)."}], "id": "CVE-2026-23279", "lastModified": "2026-04-18T09:16:16.163", "metrics": {}, "published": "2026-03-25T11:16:22.333", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()", "id": "2451170", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451170"}, "csaw": false, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's mac80211 component. A remote mesh peer with an established peer link can trigger a kernel NULL pointer dereference by sending a specially crafted Wi-Fi (Wireless Fidelity) management frame. This frame, a SPECTRUM_MGMT/CHL_SWITCH action frame, omits a required information element, leading to a system crash and a Denial of Service (DoS)."], "name": "CVE-2026-23279", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23279\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23279\nhttps://lore.kernel.org/linux-cve-announce/2026032522-CVE-2026-23279-cf34@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8f2535b92d685c68db4bc699dd78462a646f6ef9,2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8f2535b92d685c68db4bc699dd78462a646f6ef9,22a9adea7e26d236406edc0ea00b54351dd56b9c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8f2535b92d685c68db4bc699dd78462a646f6ef9,f5d8af683410a8c82e48b51291915bd612523d9a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8f2535b92d685c68db4bc699dd78462a646f6ef9,cc6d5a3c0a854aeae00915fc5386570c86029c60)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8f2535b92d685c68db4bc699dd78462a646f6ef9,be8b82c567fda86f2cbb43b7208825125bb31421)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8f2535b92d685c68db4bc699dd78462a646f6ef9,017c1792525064a723971f0216e6ef86a8c7af11)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,3.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T02:33:01.148318+00:00", "value": {"mitigation_remediation": ["Apply the most recent Linux kernel update that includes the mac80211 patch for mesh_rx_csa_frame()", "Verify that wireless mesh or mac80211 features are enabled only if required", "If unable to update immediately, consider disabling the mesh interface or the 802.11s feature to eliminate the attack vector"], "summary": {"action": "Immediate Patch", "impact": "Kernel crash causing denial of service"}, "threat_synthesis": {"affected_systems": "This flaw exists in the Linux kernel for all releases since version\u202f3.13. The bug was confirmed on kernel\u202f6.17.0\u20115\u2011generic and affects any system that uses the mac80211 subsystem with wireless mesh support. The affected products are identified as \u201cLinux: Linux Kernel\u201d and are represented by the CPE string \u201ccpe:2.3:o:linux:linux_kernel:*:\u2026\u201d. Every installation of the kernel that contains mac80211 and has mesh enabled is potentially vulnerable unless patched.", "description_and_impact": "The vulnerability is a null pointer dereference in the mac80211 mesh channel switch frame handling. When a mesh peer receives a crafted channel switch action frame that omits the optional Mesh Channel Switch Parameters element, the kernel dereferences a NULL pointer and crashes. The weakness is a classic null dereference (CWE\u2011476). The result is a kernel panic that brings the host down, creating a denial\u2011of\u2011service condition. No privilege or authentication is needed beyond an established open mesh link.", "risk_and_exploitability": "The probability of exploitation, according to EPSS, is less than\u202f1\u202f% and the vulnerability does not appear in CISA\u2019s KEV catalog, indicating a low likelihood of widespread attack. Nevertheless, the impact of a kernel crash is severe. An attacker would need to establish a mesh link with the target and send a malicious channel\u2011switch action frame; no additional authentication is required. Because the flaw is a kernel panic, the path to exploitation is straightforward, but because it is limited to wireless mesh traffic, the attack surface is more niche. The official patch adds a NULL check and is available in the latest kernel releases, so the recommended mitigation is to update the kernel as soon as possible."}}}}, "created": "2026-03-25T21:15:51.238010+00:00", "updated": "2026-03-26T12:17:38.220190+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}