CVE-2026-23396

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL deref in meshmatcheslocal()

meshmatcheslocal() unconditionally dereferences ie->meshconfig to compare mesh configuration parameters. When called from meshrxcsaframe(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference.

The other two callers are already safe: - ieee80211meshrxbcnpresp() checks !elems->meshconfig before calling meshmatcheslocal() - meshplinkgetevent() is only reached through meshprocessplinkframe(), which checks !elems->meshconfig, too

meshrxcsaframe() is the only caller that passes raw parsed elements to meshmatcheslocal() without guarding meshconfig. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel.

The captured crash log:

Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: eventsunbound cfg80211wiphy_work [...] Call Trace: <TASK> ? __pfxmeshmatcheslocal (net/mac80211/mesh.c:65) ieee80211meshrxqueuedmgmt (net/mac80211/mesh.c:1686) [...] ieee80211ifacework (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211wiphywork (net/wireless/core.c:426) processonework (net/kernel/workqueue.c:3280) ? assignwork (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfxworkerthread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] retfromforkasm (net/arch/x86/entry/entry64.S:255) </TASK>

This patch adds a NULL check for ie->meshconfig at the top of meshmatches_local() to return false early when the Mesh Configuration IE is absent.