CVE-2019-9496 — External Control of Critical State Data in Alliance Hostapd With SAE Support
CWE-642 — External Control of Critical State DataCWE-287 — Improper Authentication10 documents8 sources
Severity
7.5HIGHNVD
EPSS
2.4%
top 15.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 17
Latest updateMay 14
Description
An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
Also affects: Fedora 28, 29, 30
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-cvwc-47mg-vx9r: An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confi↗2022-05-14
OSV▶
CVE-2019-9496: An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confi↗2019-04-17
CVEList▶
An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps↗2019-04-17
📋Vendor Advisories
3💬Community
3Bugzilla
▶
Bugzilla
▶