Vulnerability DatabaseCVE-2026-23396

CVE-2026-23396:
CBL Mariner vulnerability analysis and mitigation

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: fix NULL deref in mesh_matches_local()

mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference.

The other two callers are already safe:

ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local()
mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel. The captured crash log: Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace:

? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)

This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

6.5

Score

Published March 26, 2026

Severity MEDIUM

CNA Score N/A

Affected Technologies

CBL Mariner
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 9.2

Exploitation Probability (EPSS) N/A

Affected packages and libraries

linux-hwe
linux-hwe-6.17

Sources

NVD
CBL-Mariner
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: Apr 02, 2026
Debian Security Tracker
- Debian 11, 12, 13 No FixAdded at: Mar 29, 2026
- Debian 14 Has FixAdded at: Mar 29, 2026
Echo
- Echo Has FixAdded at: Mar 29, 2026
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04 Severity MEDIUMNo FixAdded at: Mar 31, 2026
- Ubuntu 22.04, 24.04, 25.10 Severity MEDIUMNo FixAdded at: Apr 02, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related CBL Mariner vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-23395	HIGH	8.8	Linux Kernel	linux-azure-6.8	No	Yes	Mar 25, 2026
CVE-2026-23392	HIGH	7.8	Linux Kernel	libperf	No	Yes	Mar 25, 2026
CVE-2026-23398	MEDIUM	6.5	Linux Kernel	kernel-rt-modules-core	No	Yes	Mar 26, 2026
CVE-2026-23396	MEDIUM	6.5	CBL Mariner	linux-hwe	No	Yes	Mar 26, 2026
CVE-2026-23397	MEDIUM	4.4	Linux Kernel	linux-oracle-6.8	No	Yes	Mar 26, 2026