CVE-2026-23279

EUVD-2026-15198
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()

In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced
at lines 1638 and 1642 without a prior NULL check:

    ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
    ...
    pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);

The mesh_matches_local() check above only validates the Mesh ID,
Mesh Configuration, and Supported Rates IEs.  It does not verify the
presence of the Mesh Channel Switch Parameters IE (element ID 118).
When a received CSA action frame omits that IE, ieee802_11_parse_elems()
leaves elems->mesh_chansw_params_ie as NULL, and the unconditional
dereference causes a kernel NULL pointer dereference.

A remote mesh peer with an established peer link (PLINK_ESTAB) can
trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame
that includes a matching Mesh ID and Mesh Configuration IE but omits the
Mesh Channel Switch Parameters IE.  No authentication beyond the default
open mesh peering is required.

Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  Oops: Oops: 0000 [#1] SMP NOPTI
  RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]
  CR2: 0000000000000000

Fix by adding a NULL check for mesh_chansw_params_ie after
mesh_matches_local() returns, consistent with how other optional IEs
are guarded throughout the mesh code.

The bug has been present since v3.13 (released 2014-01-19).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
3.13 ≤
𝑥
< 5.10.253
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.203
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.167
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.130
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.77
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.17
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.7
linuxlinux_kernel
7.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
kernel-64kb
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-azure
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-default
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-default-base
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1.150700.17.33.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-source
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.55.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.55.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.317.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.130.1-1.azl3
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11
https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c
https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab
https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08
https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421
https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60
https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d
https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a