{
  "public_date" : "2026-03-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: mac80211: fix NULL deref in mesh_matches_local()",
    "id" : "2451661",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451661"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: fix NULL deref in mesh_matches_local()\nmesh_matches_local() unconditionally dereferences ie->mesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie->mesh_config NULL and triggering a\nkernel NULL pointer dereference.\nThe other two callers are already safe:\n- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before\ncalling mesh_matches_local()\n- mesh_plink_get_event() is only reached through\nmesh_process_plink_frame(), which checks !elems->mesh_config, too\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\nThe captured crash log:\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n<TASK>\n? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\nieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n[...]\nieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n[...]\ncfg80211_wiphy_work (net/wireless/core.c:426)\nprocess_one_work (net/kernel/workqueue.c:3280)\n? assign_work (net/kernel/workqueue.c:1219)\nworker_thread (net/kernel/workqueue.c:3352)\n? __pfx_worker_thread (net/kernel/workqueue.c:3385)\nkthread (net/kernel/kthread.c:436)\n[...]\nret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n</TASK>\nThis patch adds a NULL check for ie->mesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent.", "A flaw was found in the Linux kernel's mac80211 component. An adjacent attacker can exploit this by sending a specially crafted Channel Switch Announcement (CSA) action frame. This frame, containing a valid Mesh ID Information Element (IE) but lacking a Mesh Configuration IE, can trigger a NULL pointer dereference within the kernel. Successful exploitation leads to a system crash, resulting in a Denial of Service (DoS)." ],
  "statement" : "This vulnerability requires the attacker to be on the same wireless mesh network as the target system, limiting exploitation to adjacent network scenarios. Systems not configured for 802.11s mesh networking are not affected. The impact is limited to denial of service through a kernel crash, with no data exposure or code execution.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23396\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23396\nhttps://lore.kernel.org/linux-cve-announce/2026032631-CVE-2026-23396-6447@gregkh/T" ],
  "name" : "CVE-2026-23396",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the mac80211 module from being loaded. See https://access.redhat.com/solutions/41278 for instructions. Note that this will disable WiFi functionality entirely.",
    "lang" : "en:us"
  },
  "csaw" : false
}