CVE-2026-23279

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL pointer dereference in meshrxcsa_frame()

In meshrxcsaframe(), elems->meshchanswparamsie is dereferenced at lines 1638 and 1642 without a prior NULL check:

ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
...
pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);

The meshmatcheslocal() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee80211parseelems() leaves elems->meshchanswparamsie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference.

A remote mesh peer with an established peer link (PLINKESTAB) can trigger this by sending a crafted SPECTRUMMGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required.

Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:

BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211meshrxqueuedmgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000

Fix by adding a NULL check for meshchanswparamsie after meshmatches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code.

The bug has been present since v3.13 (released 2014-01-19).