{"api_version":"1","generated_at":"2026-04-20T03:31:48+00:00","cve":"CVE-2026-23279","urls":{"html":"https://cve.report/CVE-2026-23279","api":"https://cve.report/api/cve/CVE-2026-23279.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23279","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23279"},"summary":{"title":"wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n    ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n    ...\n    pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs.  It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE.  No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n  CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19).","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:22","updated_at":"2026-04-18 09:16:16"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c","name":"https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421","name":"https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60","name":"https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08","name":"https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab","name":"https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11","name":"https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a","name":"https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d","name":"https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23279","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23279","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 753ad20dcbe36b67088c7770d8fc357d7cc43e08 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 f061336f072ab03fd29270ae61fede46bf8fd69d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 22a9adea7e26d236406edc0ea00b54351dd56b9c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 f5d8af683410a8c82e48b51291915bd612523d9a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 cc6d5a3c0a854aeae00915fc5386570c86029c60 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 be8b82c567fda86f2cbb43b7208825125bb31421 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 8f2535b92d685c68db4bc699dd78462a646f6ef9 017c1792525064a723971f0216e6ef86a8c7af11 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.13","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.77 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.17 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.7 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23279","cve":"CVE-2026-23279","epss":"0.001170000","percentile":"0.303530000","score_date":"2026-04-19","updated_at":"2026-04-20 00:11:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/mac80211/mesh.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"753ad20dcbe36b67088c7770d8fc357d7cc43e08","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"f061336f072ab03fd29270ae61fede46bf8fd69d","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"22a9adea7e26d236406edc0ea00b54351dd56b9c","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"f5d8af683410a8c82e48b51291915bd612523d9a","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"cc6d5a3c0a854aeae00915fc5386570c86029c60","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"be8b82c567fda86f2cbb43b7208825125bb31421","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"},{"lessThan":"017c1792525064a723971f0216e6ef86a8c7af11","status":"affected","version":"8f2535b92d685c68db4bc699dd78462a646f6ef9","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/mac80211/mesh.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.13"},{"lessThan":"3.13","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.77","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.17","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.77","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.17","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"3.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"3.13","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n    ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n    ...\n    pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs.  It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE.  No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n  CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}],"providerMetadata":{"dateUpdated":"2026-04-18T08:57:35.221Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08"},{"url":"https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d"},{"url":"https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab"},{"url":"https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c"},{"url":"https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a"},{"url":"https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60"},{"url":"https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421"},{"url":"https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11"}],"title":"wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23279","datePublished":"2026-03-25T10:26:39.994Z","dateReserved":"2026-01-13T15:37:45.992Z","dateUpdated":"2026-04-18T08:57:35.221Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:22","lastModifiedDate":"2026-04-18 09:16:16","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23279","Ordinal":"1","Title":"wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_fram","CVE":"CVE-2026-23279","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23279","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n    ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n    ...\n    pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs.  It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE.  No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000000\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n  CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19).","Type":"Description","Title":"wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_fram"}]}}}