Description
In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing bounds check in the Wi‑Fi 7 Multi‑Link Operation association request processing in hostapd before version 2.12 permits an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi‑Link Element or Per‑STA Profile sub‑element. During processing the link_id field may be interpreted as the value 15, although only link IDs 0‑14 are valid, leading to an out‑of‑bounds write and small memory corruption before the 4‑way handshake, causing the hostapd process to crash and deny service.

Affected Systems

The vulnerable component is hostapd from w1.fi. All releases v2.11 and newer development snapshots prior to v2.12 that are compiled with the CONFIG_IEEE80211BE option enabled are affected. The issue applies to any device running hostapd as the access‑point firmware with Multi‑Link Operation support active.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs to transmit a malicious Wi‑Fi 7 management frame within the coverage area, without credentials or authentication, to trigger the denial of service. The attack vector is wireless proximity; the impact is localized disruption of all clients serviced by the affected AP. As the flaw is publicly fixed in hostapd 2.12, the primary risk remains only on unpatched systems.

Generated by OpenCVE AI on June 30, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hostapd to version 2.12 or newer where the out‑of‑bounds check has been fixed and Multi‑Link Operation support is properly validated.
  • If upgrading is not immediately possible, build hostapd with the CONFIG_IEEE80211BE option disabled or re‑configure the access point to reject MLO association requests.
  • Apply the upstream 2026-1 patch (commit 46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187) to correct the parsing validation on older hostapd versions.

Generated by OpenCVE AI on June 30, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in hostapd Multi‑Link Operation Association Request Causes Denial of Service

Tue, 30 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in hostapd Multi‑Link Operation Association Request Causes Denial of Service

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.
First Time appeared W1.fi
W1.fi hostapd
Weaknesses CWE-193
CPEs cpe:2.3:a:w1.fi:hostapd:*:*:*:*:*:*:*:*
Vendors & Products W1.fi
W1.fi hostapd
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

W1.fi Hostapd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-30T13:38:26.434Z

Reserved: 2026-06-30T12:35:53.986Z

Link: CVE-2026-58374

cve-icon Vulnrichment

Updated: 2026-06-30T13:38:22.191Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:15:06Z

Weaknesses