CVE-2020-24588 — Use of a Broken or Risky Cryptographic Algorithm in Linux

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-20 — Improper Input Validation CWE-354 — Improper Validation of Integrity Check Value CWE-345 — Insufficient Verification of Data Authenticity CWE-772 — Missing Release of Resource after Effective Lifetime CWE-99 — Resource Injection CWE-306 — Missing Authentication for Critical Function45 documents15 sources

Severity

9.1CRITICALNVD

NVD7.8NVD3.5OSV3.5

EPSS

0.3%

top 45.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Firmware-nonfree +23 more

Timeline

PublishedMay 11

Latest updateAug 16

Description

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages26 packages

▶CVEListV5linux/linux79720743421753ff72bfa0d79976c534645b81c1 — e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80+5

▶debiandebian/linux< linux 6.1.147-1 (bookworm)+1

▶debiandebian/linux-6.1< linux 6.1.147-1 (bookworm)

▶NVDlinux/linux_kernel6.1.107 — 6.1.146+11

▶debiandebian/firmware-nonfree< firmware-nonfree 20210818-1 (bookworm)

Also affects: Debian Linux 11.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-hxq3-8p4p-wv7w: In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prev↗2025-08-16

▶

OSV

CVE-2025-38512: In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to preven↗2025-08-16

▶

Kernel

wifi: prevent A-MSDU attacks in mesh networks↗2025-06-16

▶

GHSA

GHSA-hchj-55px-fgw7: IEEE P802↗2025-05-21

▶

OSV

CVE-2025-27558: IEEE P802↗2025-05-21

▶

📋Vendor Advisories

Red Hat

kernel: wifi: prevent A-MSDU attacks in mesh networks↗2025-08-16

▶

Debian

CVE-2025-38512: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: preve...↗2025

▶

Debian

CVE-2025-27558: linux - IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. I...↗2025

▶

CISA ICS

Siemens SCALANCE FragAttacks↗2022-04-14

▶

CISA ICS

Mitsubishi Electric GT25-WLAN (Update A)↗2022-04-12

▶

🕵️Threat Intelligence

Qualys

Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical↗2021-05-11

▶

Crowdstrike

May 2021 Patch Tuesday: Updates and Analysis↗

▶

Crowdstrike

May 2021 Patch Tuesday: Updates and Analysis↗

▶

💬Community

HackerOne

Fragmentation and Aggregation Flaws in Wi-Fi↗2021-07-23

▶

External resources

NVD MITRE

Affected products26

Debian Firmware-nonfreefixed in firmware-nonfree 20210818-1 (bookworm)

Debian Linuxfixed in linux 6.1.147-1 (bookworm)fixed in firmware-nonfree 20210818-1 (bookworm)

Debian Linuxv11.0v9.0

Debian Linux-6.1fixed in linux 6.1.147-1 (bookworm)

Google Android

Linux≥ 79720743421753ff72bfa0d79976c534645b81c1, < e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80≥ 986e43b19ae9176093da35e0a844e65c8bf9ede7, < ec6392061de6681148b63ee6c8744da833498cdd≥ 986e43b19ae9176093da35e0a844e65c8bf9ede7, < e01851f6e9a665a6011b14714b271d3e6b0b8d32+3 more

Linux Kernel≥ 0, < 5.10.46-1≥ 0, < 6.1.147-1≥ 0, < 6.12.41-1+14 more

Microsoft Windows 10v1607v1803v1809+3 more

Microsoft Windows Server 2008vr2

Microsoft Windows Server 2016v2004

Disclosure

PublishedMay 11, 2021

Latest updateAug 16, 2025