CVE-2026-23396

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: fix NULL deref in mesh_matches_local()<br /> <br /> mesh_matches_local() unconditionally dereferences ie-&gt;mesh_config to<br /> compare mesh configuration parameters. When called from<br /> mesh_rx_csa_frame(), the parsed action-frame elements may not contain a<br /> Mesh Configuration IE, leaving ie-&gt;mesh_config NULL and triggering a<br /> kernel NULL pointer dereference.<br /> <br /> The other two callers are already safe:<br /> - ieee80211_mesh_rx_bcn_presp() checks !elems-&gt;mesh_config before<br /> calling mesh_matches_local()<br /> - mesh_plink_get_event() is only reached through<br /> mesh_process_plink_frame(), which checks !elems-&gt;mesh_config, too<br /> <br /> mesh_rx_csa_frame() is the only caller that passes raw parsed elements<br /> to mesh_matches_local() without guarding mesh_config. An adjacent<br /> attacker can exploit this by sending a crafted CSA action frame that<br /> includes a valid Mesh ID IE but omits the Mesh Configuration IE,<br /> crashing the kernel.<br /> <br /> The captured crash log:<br /> <br /> Oops: general protection fault, probably for non-canonical address ...<br /> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]<br /> Workqueue: events_unbound cfg80211_wiphy_work<br /> [...]<br /> Call Trace:<br /> <br /> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)<br /> ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)<br /> [...]<br /> ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)<br /> [...]<br /> cfg80211_wiphy_work (net/wireless/core.c:426)<br /> process_one_work (net/kernel/workqueue.c:3280)<br /> ? assign_work (net/kernel/workqueue.c:1219)<br /> worker_thread (net/kernel/workqueue.c:3352)<br /> ? __pfx_worker_thread (net/kernel/workqueue.c:3385)<br /> kthread (net/kernel/kthread.c:436)<br /> [...]<br /> ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)<br /> <br /> <br /> This patch adds a NULL check for ie-&gt;mesh_config at the top of<br /> mesh_matches_local() to return false early when the Mesh Configuration<br /> IE is absent.