{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23396", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.011Z", "datePublished": "2026-03-26T10:22:49.287Z", "dateUpdated": "2026-05-11T22:06:05.924Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:05.924Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems->mesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n <TASK>\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n </TASK>\n\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "14a4fd13657a3f2489db6566f081adfb27a49c64", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "74de6fa472b03bc8cde0a081484e9960bcbda568", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "c1e3f2416fb27c816ce96d747d3e784e31f4d95c", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "0a4da176ae4b4e075a19c00d3e269cfd5e05a813", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "44699c6cdfce80a0f296b54ae9314461e3e41b3d", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "7c55a3deaf7eaaafa2546f8de7fed19382a0a116", "status": "affected", "versionType": "git"}, {"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790", "lessThan": "c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mesh.c"], "versions": [{"version": "2.6.26", "status": "affected"}, {"version": "0", "lessThan": "2.6.26", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.26", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64"}, {"url": "https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568"}, {"url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"}, {"url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"}, {"url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"}, {"url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"}, {"url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"}, {"url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"}], "title": "wifi: mac80211: fix NULL deref in mesh_matches_local()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F7C4E68-B5A8-416F-9E9E-9E29289DF9DC", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.26.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "28D591F5-B196-4CC9-905C-DC80F116E7A8", "versionEndExcluding": "6.12.78", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5571059-6552-48E7-9BEF-3E358C387171", "versionEndExcluding": "6.18.20", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D34333-38BE-4414-9E79-6EB764329581", "versionEndExcluding": "6.19.10", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.26:-:*:*:*:*:*:*", "matchCriteriaId": "2904D4F1-8EE3-49BD-8EA8-5C7FA05E28F3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems->mesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n <TASK>\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n </TASK>\n\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: corrige desreferencia de NULL en mesh_matches_local()\n\nmesh_matches_local() desreferencia incondicionalmente ie-&gt;mesh_config para comparar los par\u00e1metros de configuraci\u00f3n de malla. Cuando se llama desde mesh_rx_csa_frame(), los elementos de la trama de acci\u00f3n analizados pueden no contener un IE de Configuraci\u00f3n de Malla, dejando ie-&gt;mesh_config como NULL y desencadenando una desreferencia de puntero NULL del kernel.\n\nLos otros dos llamadores ya son seguros:\n - ieee80211_mesh_rx_bcn_presp() comprueba !elems-&gt;mesh_config antes de llamar a mesh_matches_local()\n - mesh_plink_get_event() solo se alcanza a trav\u00e9s de mesh_process_plink_frame(), que tambi\u00e9n comprueba !elems-&gt;mesh_config\n\nmesh_rx_csa_frame() es el \u00fanico llamador que pasa elementos analizados en bruto a mesh_matches_local() sin proteger mesh_config. Un atacante adyacente puede explotar esto enviando una trama de acci\u00f3n CSA manipulada que incluye un IE de ID de Malla v\u00e1lido pero omite el IE de Configuraci\u00f3n de Malla, provocando el fallo del kernel.\n\nEl registro de fallo capturado:\n\nOops: fallo de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica ...\nKASAN: desreferencia de puntero nulo en el rango [0x0000000000000000-0x0000000000000007]\nCola de trabajo: events_unbound cfg80211_wiphy_work\n[...]\nTraza de Llamada:\n \n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \n\nEste parche a\u00f1ade una comprobaci\u00f3n de NULL para ie-&gt;mesh_config al principio de mesh_matches_local() para devolver falso anticipadamente cuando el IE de Configuraci\u00f3n de Malla est\u00e1 ausente."}], "id": "CVE-2026-23396", "lastModified": "2026-04-24T15:18:27.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T11:16:18.750", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: mac80211: fix NULL deref in mesh_matches_local()", "id": "2451661", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451661"}, "csaw": false, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: fix NULL deref in mesh_matches_local()\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\nThe other two callers are already safe:\n- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\ncalling mesh_matches_local()\n- mesh_plink_get_event() is only reached through\nmesh_process_plink_frame(), which checks !elems->mesh_config, too\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\nThe captured crash log:\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n<TASK>\n? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\nieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n[...]\nieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n[...]\ncfg80211_wiphy_work (net/wireless/core.c:426)\nprocess_one_work (net/kernel/workqueue.c:3280)\n? assign_work (net/kernel/workqueue.c:1219)\nworker_thread (net/kernel/workqueue.c:3352)\n? __pfx_worker_thread (net/kernel/workqueue.c:3385)\nkthread (net/kernel/kthread.c:436)\n[...]\nret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n</TASK>\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent.", "A flaw was found in the Linux kernel's mac80211 component. An adjacent attacker can exploit this by sending a specially crafted Channel Switch Announcement (CSA) action frame. This frame, containing a valid Mesh ID Information Element (IE) but lacking a Mesh Configuration IE, can trigger a NULL pointer dereference within the kernel. Successful exploitation leads to a system crash, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the mac80211 module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Note that this will disable WiFi functionality entirely."}, "name": "CVE-2026-23396", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23396\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23396\nhttps://lore.kernel.org/linux-cve-announce/2026032631-CVE-2026-23396-6447@gregkh/T"], "statement": "This vulnerability requires the attacker to be on the same wireless mesh network as the target system, limiting exploitation to adjacent network scenarios. Systems not configured for 802.11s mesh networking are not affected. The impact is limited to denial of service through a kernel crash, with no data exposure or code execution."}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,c1e3f2416fb27c816ce96d747d3e784e31f4d95c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,0a4da176ae4b4e075a19c00d3e269cfd5e05a813)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,44699c6cdfce80a0f296b54ae9314461e3e41b3d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,7c55a3deaf7eaaafa2546f8de7fed19382a0a116)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2e3c8736820bf72a8ad10721c7e31d36d4fa7790,c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.26"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.26)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:54:52.160620+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a release that includes the patch for mesh_matches_local.", "If an update is not immediately available, disable mesh networking on vulnerable devices to remove the trigger point.", "Monitor system logs for general protection faults, KASAN null pointer dereferences, or kernel panics that may indicate an attempted exploitation."], "summary": {"action": "Apply Patch", "impact": "Kernel Null Pointer Dereference causing Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernels that include the mac80211 mesh networking stack are impacted. The affected vendors list only \"Linux\" and no specific version numbers are provided, so any kernel build that predates the patch that adds a null check is vulnerable. This includes typical distributions that ship the upstream kernel.", "description_and_impact": "The issue originates from an unchecked dereference of the Mesh Configuration element within the mesh_matches_local function in the Linux kernel\u2019s mac80211 subsystem. When a CSA action frame is received that contains a Mesh ID IE but omits the Mesh Configuration IE, the function dereferences a null pointer, triggering a kernel panic. This constitutes a denial\u2011of\u2011service vulnerability and falls under CWE-476.", "risk_and_exploitability": "The EPSS score is reported as <\u202f1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. The CVSS score of 5.5 indicates a medium severity. The likely attack vector is a remote wireless adversary that can transmit a crafted CSA action frame. Based on the description, the attacker can send a frame that includes a Mesh ID IE while omitting the Mesh Configuration IE, causing the null dereference. Exploitation requires the device to have mesh networking enabled and the ability to process malformed CSA frames, which limits the attack surface to wireless interfaces exposing the mesh feature."}}}}, "created": "2026-03-26T12:08:09.106966+00:00", "updated": "2026-04-28T17:00:13.453494+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}