NULL Pointer Dereference Affecting kernel-docs-html package, versions <6.12.0-160000.33.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-SLES1600-KERNELDOCSHTML-17124693
- published2 Jun 2026
- disclosed28 May 2026
Introduced: 28 May 2026
NewCVE-2026-23279 (opens in a new tab)How to fix?
Upgrade SLES:16.0.0 kernel-docs-html to version 6.12.0-160000.33.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-docs-html package and not the kernel-docs-html package as distributed by SLES.
See How to fix? for SLES:16.0.0 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check:
ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl;
...
pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value);
The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not verify the presence of the Mesh Channel Switch Parameters IE (element ID 118). When a received CSA action frame omits that IE, ieee802_11_parse_elems() leaves elems->mesh_chansw_params_ie as NULL, and the unconditional dereference causes a kernel NULL pointer dereference.
A remote mesh peer with an established peer link (PLINK_ESTAB) can trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame that includes a matching Mesh ID and Mesh Configuration IE but omits the Mesh Channel Switch Parameters IE. No authentication beyond the default open mesh peering is required.
Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim:
BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] CR2: 0000000000000000
Fix by adding a NULL check for mesh_chansw_params_ie after mesh_matches_local() returns, consistent with how other optional IEs are guarded throughout the mesh code.
The bug has been present since v3.13 (released 2014-01-19).
References
- https://www.suse.com/security/cve/CVE-2026-23279.html
- https://bugzilla.suse.com/1260468
- https://git.kernel.org/stable/c/017c1792525064a723971f0216e6ef86a8c7af11
- https://git.kernel.org/stable/c/22a9adea7e26d236406edc0ea00b54351dd56b9c
- https://git.kernel.org/stable/c/2b5f282b1b7241ef624c3399a1cdff0bb1a3eeab
- https://git.kernel.org/stable/c/753ad20dcbe36b67088c7770d8fc357d7cc43e08
- https://git.kernel.org/stable/c/be8b82c567fda86f2cbb43b7208825125bb31421
- https://git.kernel.org/stable/c/cc6d5a3c0a854aeae00915fc5386570c86029c60
- https://git.kernel.org/stable/c/f061336f072ab03fd29270ae61fede46bf8fd69d
- https://git.kernel.org/stable/c/f5d8af683410a8c82e48b51291915bd612523d9a