wid-sec-w-2026-0861 · Published 2026-03-24 · View on BSI CERT-Bund ↗

Linux Kernel: Multiple Vulnerabilities

CVSS 8.8 HIGH

Risk Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference. A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required. Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000 Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code. The bug has been present since v3.13 (released 2014-01-19).

CVEs (117)

CVE-2026-23279 CVE-2026-23280 CVE-2026-23281 CVE-2026-23282 CVE-2026-23283 CVE-2026-23284 CVE-2026-23285 CVE-2026-23286 CVE-2026-23287 CVE-2026-23288 CVE-2026-23289 CVE-2026-23290 CVE-2026-23291 CVE-2026-23292 CVE-2026-23293 CVE-2026-23294 CVE-2026-23295 CVE-2026-23296 CVE-2026-23297 CVE-2026-23298 CVE-2026-23299 CVE-2026-23300 CVE-2026-23301 CVE-2026-23302 CVE-2026-23303 CVE-2026-23304 CVE-2026-23305 CVE-2026-23306 CVE-2026-23307 CVE-2026-23308 CVE-2026-23309 CVE-2026-23310 CVE-2026-23311 CVE-2026-23312 CVE-2026-23313 CVE-2026-23314 CVE-2026-23315 CVE-2026-23316 CVE-2026-23317 CVE-2026-23318 CVE-2026-23319 CVE-2026-23320 CVE-2026-23321 CVE-2026-23322 CVE-2026-23323 CVE-2026-23324 CVE-2026-23325 CVE-2026-23326 CVE-2026-23327 CVE-2026-23328 CVE-2026-23329 CVE-2026-23330 CVE-2026-23331 CVE-2026-23332 CVE-2026-23333 CVE-2026-23334 CVE-2026-23335 CVE-2026-23336 CVE-2026-23337 CVE-2026-23338 CVE-2026-23339 CVE-2026-23340 CVE-2026-23341 CVE-2026-23342 CVE-2026-23343 CVE-2026-23344 CVE-2026-23345 CVE-2026-23346 CVE-2026-23347 CVE-2026-23348 CVE-2026-23349 CVE-2026-23350 CVE-2026-23351 CVE-2026-23352 CVE-2026-23353 CVE-2026-23354 CVE-2026-23355 CVE-2026-23356 CVE-2026-23357 CVE-2026-23358 CVE-2026-23359 CVE-2026-23360 CVE-2026-23361 CVE-2026-23362 CVE-2026-23363 CVE-2026-23364 CVE-2026-23365 CVE-2026-23366 CVE-2026-23367 CVE-2026-23368 CVE-2026-23369 CVE-2026-23370 CVE-2026-23371 CVE-2026-23372 CVE-2026-23373 CVE-2026-23374 CVE-2026-23375 CVE-2026-23376 CVE-2026-23377 CVE-2026-23378 CVE-2026-23379 CVE-2026-23380 CVE-2026-23381 CVE-2026-23382 CVE-2026-23383 CVE-2026-23384 CVE-2026-23385 CVE-2026-23386 CVE-2026-23387 CVE-2026-23388 CVE-2026-23389 CVE-2026-23390 CVE-2026-23391 CVE-2026-23392 CVE-2026-23393 CVE-2026-23394 CVE-2026-23395

Affected Vendors

Google Open Source

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more