MITRE assigned CVE-2026-58374 with a CVSS score of 6.5
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-- Abhinav

On Mon, Jun 29, 2026 at 7:50 PM Abhinav Agarwal
<[email protected]> wrote:
>
> A Wi-Fi 7 / IEEE 802.11be MLD parsing issue in hostapd AP mode has
> been fixed upstream:
>
> https://w1.fi/security/2026-1/missing-ml-parsing-validation.txt
>
> Issue:
>   Missing link ID validation in hostapd_process_ml_assoc_req()
>   (src/ap/ieee802_11_eht.c). link_id is masked with 0x000f
>   (values 0-15), but links[] only has valid entries 0..14
>   (MAX_NUM_MLD_LINKS=15). A crafted Per-STA Profile with
>   link_id=15 can write past the end of links[] during association
>   processing.
>
>   This is reachable before the 4-way handshake; no credentials are
>   required. An attacker within radio range can trigger it with a
>   crafted association request.
>
> Affected:
>   hostapd v2.11 and newer repository snapshots before v2.12, built
>   with CONFIG_IEEE80211BE and running Wi-Fi 7 / MLD AP configuration.
>
> Impact:
>   hostapd process termination / denial of service, and small memory
>   corruption, per the upstream advisory.
>
> Fix:
>   
> https://git.w1.fi/cgit/hostap/commit/?id=46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187
>
>   Additional related fixes are listed in the upstream advisory.
>
> Mitigation:
>   Update to hostapd v2.12 or newer once available, or apply the
>   upstream fixes and rebuild.
>
> CVE status:
>   CVE assignment requested from MITRE under CAN-2026-2032030
>
> Credit:
>   The upstream advisory credits Sebastián Alba Vives, with independent
>   discovery and report by Abhinav Agarwal.
>
> Timeline:
>   2026-05-14  reported to upstream
>   2026-06-05  upstream published security advisory
>
> --
> Abhinav Agarwal

Reply via email to