CVE-2026-23279

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()<br /> <br /> In mesh_rx_csa_frame(), elems-&gt;mesh_chansw_params_ie is dereferenced<br /> at lines 1638 and 1642 without a prior NULL check:<br /> <br /> ifmsh-&gt;chsw_ttl = elems-&gt;mesh_chansw_params_ie-&gt;mesh_ttl;<br /> ...<br /> pre_value = le16_to_cpu(elems-&gt;mesh_chansw_params_ie-&gt;mesh_pre_value);<br /> <br /> The mesh_matches_local() check above only validates the Mesh ID,<br /> Mesh Configuration, and Supported Rates IEs. It does not verify the<br /> presence of the Mesh Channel Switch Parameters IE (element ID 118).<br /> When a received CSA action frame omits that IE, ieee802_11_parse_elems()<br /> leaves elems-&gt;mesh_chansw_params_ie as NULL, and the unconditional<br /> dereference causes a kernel NULL pointer dereference.<br /> <br /> A remote mesh peer with an established peer link (PLINK_ESTAB) can<br /> trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame<br /> that includes a matching Mesh ID and Mesh Configuration IE but omits the<br /> Mesh Channel Switch Parameters IE. No authentication beyond the default<br /> open mesh peering is required.<br /> <br /> Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]<br /> CR2: 0000000000000000<br /> <br /> Fix by adding a NULL check for mesh_chansw_params_ie after<br /> mesh_matches_local() returns, consistent with how other optional IEs<br /> are guarded throughout the mesh code.<br /> <br /> The bug has been present since v3.13 (released 2014-01-19).