HOMEVULNERABILITIESCVE-2026-23396
NONE

CVE-2026-23396

Published: March 26, 2026· Updated: Mar 30, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL deref in mesh_matches_local()

mesh_matches_local() unconditionally dereferences ie->mesh_config to

compare mesh configuration parameters. When called from

mesh_rx_csa_frame(), the parsed action-frame elements may not contain a

Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a

kernel NULL pointer dereference.

The other two callers are already safe:

- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before

calling mesh_matches_local()

- mesh_plink_get_event() is only reached through

mesh_process_plink_frame(), which checks !elems->mesh_config, too

mesh_rx_csa_frame() is the only caller that passes raw parsed elements

to mesh_matches_local() without guarding mesh_config. An adjacent

attacker can exploit this by sending a crafted CSA action frame that

includes a valid Mesh ID IE but omits the Mesh Configuration IE,

crashing the kernel.

The captured crash log:

Oops: general protection fault, probably for non-canonical address ...

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]

Workqueue: events_unbound cfg80211_wiphy_work

[...]

Call Trace:

<TASK>

? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)

ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)

[...]

ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)

[...]

cfg80211_wiphy_work (net/wireless/core.c:426)

process_one_work (net/kernel/workqueue.c:3280)

? assign_work (net/kernel/workqueue.c:1219)

worker_thread (net/kernel/workqueue.c:3352)

? __pfx_worker_thread (net/kernel/workqueue.c:3385)

kthread (net/kernel/kthread.c:436)

[...]

ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)

</TASK>

This patch adds a NULL check for ie->mesh_config at the top of

mesh_matches_local() to return false early when the Mesh Configuration

IE is absent.

NVD Source

Technical Analysis

CVE-2026-23396 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
LinuxCanonical
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23396
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 26, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23396 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.