NULL Pointer Dereference Affecting kernel-docs-html package, versions <6.12.0-160000.33.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-SLES1600-KERNELDOCSHTML-17125875
- published2 Jun 2026
- disclosed28 May 2026
Introduced: 28 May 2026
NewCVE-2026-23396 (opens in a new tab)How to fix?
Upgrade SLES:16.0.0 kernel-docs-html to version 6.12.0-160000.33.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-docs-html package and not the kernel-docs-html package as distributed by SLES.
See How to fix? for SLES:16.0.0 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL deref in mesh_matches_local()
mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference.
The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before calling mesh_matches_local()
- mesh_plink_get_event() is only reached through mesh_process_plink_frame(), which checks !elems->mesh_config, too
mesh_rx_csa_frame() is the only caller that passes raw parsed elements to mesh_matches_local() without guarding mesh_config. An adjacent attacker can exploit this by sending a crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE, crashing the kernel.
The captured crash log:
Oops: general protection fault, probably for non-canonical address ... KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events_unbound cfg80211_wiphy_work [...] Call Trace: <TASK> ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65) ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686) [...] ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802) [...] cfg80211_wiphy_work (net/wireless/core.c:426) process_one_work (net/kernel/workqueue.c:3280) ? assign_work (net/kernel/workqueue.c:1219) worker_thread (net/kernel/workqueue.c:3352) ? __pfx_worker_thread (net/kernel/workqueue.c:3385) kthread (net/kernel/kthread.c:436) [...] ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255) </TASK>
This patch adds a NULL check for ie->mesh_config at the top of mesh_matches_local() to return false early when the Mesh Configuration IE is absent.
References
- https://www.suse.com/security/cve/CVE-2026-23396.html
- https://bugzilla.suse.com/1260729
- https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813
- https://git.kernel.org/stable/c/14a4fd13657a3f2489db6566f081adfb27a49c64
- https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d
- https://git.kernel.org/stable/c/74de6fa472b03bc8cde0a081484e9960bcbda568
- https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116
- https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004
- https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c
- https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd