SB2026032651 - NULL pointer dereference in Linux kernel mac80211
Published: March 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2026-23396)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper pointer dereference in the mesh_matches_local() function in the Linux kernel's mac80211 subsystem when handling Wi-Fi mesh action frames. An attacker with physical access can send a specially crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE to cause a kernel NULL pointer dereference, resulting in a system crash.
The vulnerability specifically affects Wi-Fi mesh mode processing and requires the attacker to be within radio range to transmit the malicious frame. No authentication or user interaction is required for exploitation.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813
- https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d
- https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116
- https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
- https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c
- https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd