Linux Kernel NULL Pointer Dereference Vulnerability in mac80211 Mesh Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's mac80211 wireless subsystem, specifically within the mesh networking code. The issue arises in the 'mesh_matches_local()' function, which improperly assumes the presence of a Mesh Configuration Information Element (IE) when comparing mesh parameters. This flaw can be exploited by an adjacent attacker who sends a crafted Channel Switch Announcement (CSA) action frame that includes a valid Mesh ID but omits the Mesh Configuration IE, leading to a kernel crash. The vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a general protection fault, crashing the kernel. The error log indicates a null pointer dereference, which is a common cause of such crashes.

Reproduction

The vulnerability can be reproduced by sending a crafted CSA action frame that includes a valid Mesh ID but omits the Mesh Configuration IE. This can be done using a tool that allows manipulation of Wi-Fi frames, such as Scapy or a custom script, targeting a device running the affected Linux kernel version.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version that includes the patch.