Skip to main content

hostapd CVE-2026-58374

| EUVDEUVD-2026-40306 HIGH
Off-by-one Error (CWE-193)
2026-06-30 cve@mitre.org GHSA-f38w-mwf7-vv8p
7.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (mitre) PRIMARY
MEDIUM
qualitative
NVD
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Adjacent wireless range (AV:A), no auth or interaction (PR:N/UI:N); confirmed impact is process crash (A:H) with only minor out-of-bounds write corruption (I:L) and no data disclosure (C:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 02, 2026 - 17:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
Jul 02, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
Jul 02, 2026 - 17:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Patch available
Jun 30, 2026 - 15:01 EUVD
Analysis Generated
Jun 30, 2026 - 13:39 vuln.today

DescriptionNVD

In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.

AnalysisAI

Denial of service in hostapd 2.11 through pre-2.12 development snapshots (built with CONFIG_IEEE80211BE) lets an unauthenticated attacker within wireless range crash the access-point daemon by sending a crafted Wi-Fi 7 (802.11be) Multi-Link association request. A malformed Multi-Link Element or Per-STA Profile subelement supplies a link_id of 15 that overruns the 15-entry (0-14) links[] array, causing an out-of-bounds write before the 4-way handshake. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position within wireless range of Wi-Fi 7 AP
Delivery
Craft 802.11be association request with malformed Multi-Link Element
Exploit
Set Per-STA Profile link_id to 15
Execution
Trigger out-of-bounds write in hostapd_process_ml_assoc_req()
Impact
Crash hostapd process, AP denial of service

Vulnerability AssessmentAI

Exploitation The target AP must run hostapd 2.11 or a pre-2.12 development snapshot compiled with CONFIG_IEEE80211BE and operating as a Wi-Fi 7 (IEEE 802.11be) access point with Multi-Link Operation active - this build/deployment mode is the essential prerequisite, and non-Wi-Fi-7 or non-CONFIG_IEEE80211BE builds are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Wi-Fi radio range of a Wi-Fi 7 access point running vulnerable hostapd crafts a malformed 802.11be association request whose Multi-Link Element / Per-STA Profile subelement sets link_id to 15. When hostapd_process_ml_assoc_req() parses it, the out-of-bounds write corrupts memory and terminates the hostapd process, knocking the AP offline for all clients. …
Remediation Vendor-released patch: hostapd 2.12, which includes the upstream 2026-1 fixes (commits 46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187 and aa9d345887389a251c63a3781d2ad2940d079193); upgrade all Wi-Fi 7 access points to 2.12 or later per https://w1.fi/security/2026-1/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all hostapd instances running versions 2.11 or pre-2.12 development snapshots with CONFIG_IEEE80211BE (Wi-Fi 7) support enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy