What is CVE-2026-23279?

CVE-2026-23279 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, classified as a NULL Pointer Dereference flaw (CWE-476), affecting Linux kernel versions from 3.13 onward and patched in 5.10.253, 5.15.203, 6.1.167 and others. CVE-2026-23279 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-23279?

CVE-2026-23279 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2026-23279?

Yes, CVE-2026-23279 has been patched. Fixed versions include 5.10.253, 5.15.203, 6.1.167 and others. If you are running Linux kernel 3.13 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-23279 actively exploited?

CVE-2026-23279 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is NULL Pointer Dereference (CWE-476)?

The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/476.html

CVE-2026-23279

Medium

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference. A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required. Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000 Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code. The bug has been present since v3.13 (released 2014-01-19).

Package Linux Kernel

Published 2026-03-25

Last modified 2026-05-22

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-476

CVE-2026-23279 is a NULL Pointer Dereference vulnerability

What is NULL Pointer Dereference?

The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. Learn more on MITRE CWE

Affected versions

Linux kernel versions 3.13 and later are affected. Fixed in 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, 7.0 and their respective stable series.

Affected from

≥ 3.13

Fixed in

✓ 5.10.253 5.10.x ✓ 5.15.203 5.15.x ✓ 6.1.167 6.1.x ✓ 6.6.130 6.6.x ✓ 6.12.77 6.12.x ✓ 6.18.17 6.18.x ✓ 6.19.7 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-23279 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11
Patch
Kernel patch commit
https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c
Patch
Kernel patch commit
https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2026-23279

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2026-03-25

Modified 2026-05-22

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2026-23279?

CVE-2026-23279 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as a NULL Pointer Dereference flaw (CWE-476) . It affects Linux kernel versions from 3.13 onward and has been patched in 5.10.253, 5.15.203, 6.1.167 and others. CVE-2026-23279 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2026-23279?

CVE-2026-23279 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2026-23279?

Yes — CVE-2026-23279 has been patched. Fixed versions include 5.10.253, 5.15.203, 6.1.167 and others. If you are running Linux kernel 3.13 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-23279 actively exploited?

No — CVE-2026-23279 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is NULL Pointer Dereference (CWE-476)?

The product dereferences a pointer that it expects to be valid but is NULL, typically causing a crash. View CWE-476 on MITRE CWE →