Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Adjacent wireless range (AV:A), no auth or interaction (PR:N/UI:N); confirmed impact is process crash (A:H) with only minor out-of-bounds write corruption (I:L) and no data disclosure (C:N).
Primary rating from Vendor (mitre).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
7DescriptionNVD
In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.
AnalysisAI
Denial of service in hostapd 2.11 through pre-2.12 development snapshots (built with CONFIG_IEEE80211BE) lets an unauthenticated attacker within wireless range crash the access-point daemon by sending a crafted Wi-Fi 7 (802.11be) Multi-Link association request. A malformed Multi-Link Element or Per-STA Profile subelement supplies a link_id of 15 that overruns the 15-entry (0-14) links[] array, causing an out-of-bounds write before the 4-way handshake. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target AP must run hostapd 2.11 or a pre-2.12 development snapshot compiled with CONFIG_IEEE80211BE and operating as a Wi-Fi 7 (IEEE 802.11be) access point with Multi-Link Operation active - this build/deployment mode is the essential prerequisite, and non-Wi-Fi-7 or non-CONFIG_IEEE80211BE builds are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Wi-Fi radio range of a Wi-Fi 7 access point running vulnerable hostapd crafts a malformed 802.11be association request whose Multi-Link Element / Per-STA Profile subelement sets link_id to 15. When hostapd_process_ml_assoc_req() parses it, the out-of-bounds write corrupts memory and terminates the hostapd process, knocking the AP offline for all clients. … |
| Remediation | Vendor-released patch: hostapd 2.12, which includes the upstream 2026-1 fixes (commits 46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187 and aa9d345887389a251c63a3781d2ad2940d079193); upgrade all Wi-Fi 7 access points to 2.12 or later per https://w1.fi/security/2026-1/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all hostapd instances running versions 2.11 or pre-2.12 development snapshots with CONFIG_IEEE80211BE (Wi-Fi 7) support enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40306
GHSA-f38w-mwf7-vv8p