oss-sec mailing list archives

Re: hostapd: OOB write in Wi-Fi 7 MLD association parsing (pre-auth DoS)


From: Abhinav Agarwal <abhinavagarwal1996 () gmail com>
Date: Tue, 30 Jun 2026 22:13:35 -0700

MITRE assigned CVE-2026-58374 with a CVSS score of 6.5
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-- Abhinav

On Mon, Jun 29, 2026 at 7:50 PM Abhinav Agarwal
<abhinavagarwal1996 () gmail com> wrote:

A Wi-Fi 7 / IEEE 802.11be MLD parsing issue in hostapd AP mode has
been fixed upstream:

https://w1.fi/security/2026-1/missing-ml-parsing-validation.txt

Issue:
  Missing link ID validation in hostapd_process_ml_assoc_req()
  (src/ap/ieee802_11_eht.c). link_id is masked with 0x000f
  (values 0-15), but links[] only has valid entries 0..14
  (MAX_NUM_MLD_LINKS=15). A crafted Per-STA Profile with
  link_id=15 can write past the end of links[] during association
  processing.

  This is reachable before the 4-way handshake; no credentials are
  required. An attacker within radio range can trigger it with a
  crafted association request.

Affected:
  hostapd v2.11 and newer repository snapshots before v2.12, built
  with CONFIG_IEEE80211BE and running Wi-Fi 7 / MLD AP configuration.

Impact:
  hostapd process termination / denial of service, and small memory
  corruption, per the upstream advisory.

Fix:
  https://git.w1.fi/cgit/hostap/commit/?id=46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187

  Additional related fixes are listed in the upstream advisory.

Mitigation:
  Update to hostapd v2.12 or newer once available, or apply the
  upstream fixes and rebuild.

CVE status:
  CVE assignment requested from MITRE under CAN-2026-2032030

Credit:
  The upstream advisory credits Sebastián Alba Vives, with independent
  discovery and report by Abhinav Agarwal.

Timeline:
  2026-05-14  reported to upstream
  2026-06-05  upstream published security advisory

--
Abhinav Agarwal


Current thread: