CVE-2020-24588
published 2021-05-11CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the…
PriorityP423low3.5CVSS 3.1
AVAACLPRNUIRSUCNILAN
EPSS
3.54%
87.8th percentile
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
Affected
58 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | firmware-nonfree | < firmware-nonfree 20210818-1 (bookworm) | firmware-nonfree 20210818-1 (bookworm) |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux | < firmware-nonfree 20210818-1 (bookworm) | firmware-nonfree 20210818-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| android | — | — | |
| linux | linux | — | — |
| linux | linux | >= 6.1.107 < 6.1.146 | 6.1.146 |
| linux | linux | >= 79720743421753ff72bfa0d79976c534645b81c1 < e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80 | e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80 |
| linux | linux | >= 986e43b19ae9176093da35e0a844e65c8bf9ede7 < ec6392061de6681148b63ee6c8744da833498cdd | ec6392061de6681148b63ee6c8744da833498cdd |
| linux | linux | >= 986e43b19ae9176093da35e0a844e65c8bf9ede7 < e01851f6e9a665a6011b14714b271d3e6b0b8d32 | e01851f6e9a665a6011b14714b271d3e6b0b8d32 |
| linux | linux | >= 986e43b19ae9176093da35e0a844e65c8bf9ede7 < 6e3b09402cc6c3e3474fa548e8adf6897dda05de | 6e3b09402cc6c3e3474fa548e8adf6897dda05de |
| linux | linux | >= 986e43b19ae9176093da35e0a844e65c8bf9ede7 < 737bb912ebbe4571195c56eba557c4d7315b26fb | 737bb912ebbe4571195c56eba557c4d7315b26fb |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 5.4.0-77.86 | 5.4.0-77.86 |
| linux | linux_kernel | >= 4.14 < 4.14.235 | 4.14.235 |
| linux | linux_kernel | >= 4.19 < 4.19.193 | 4.19.193 |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.02.9LOWAV:A/AC:M/Au:N/C:N/I:P/A:N
osv3.5LOW
vendor_cisco6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_debian3.5LOW
vendor_redhat3.5LOW
vendor_ubuntu3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hxq3-8p4p-wv7w: In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prev
ghsa_unreviewed·2025-08-16·CVSS 3.5
CVE-2025-38512 [LOW] GHSA-hxq3-8p4p-wv7w: In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prev
In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prevent the A-MSDU spoofing vulnerability
for mesh networks. The initial update to the IEEE 802.11 standard, in
response to the FragAttacks, missed this case (CVE-2025-27558). It can
be considered a variant of CVE-2020-24588 but for mesh networks.
This patch tries to detect if a standard MSDU was turned into an A-MSDU
by an adversary. This is done by parsing a received A-MSDU as a standard
MSDU, calculating the length of the Mesh Control header, and seeing if
the 6 bytes after this header equal the start of an rfc1042 header. If
equal, this is a strong indication of an ongoing attack attempt.
This defense was tested with mac80211_hwsim against
OSV
CVE-2025-38512: In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to preven
osv·2025-08-16·CVSS 3.5
CVE-2025-38512 [LOW] CVE-2025-38512: In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to preven
In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 but for mesh networks. This patch tries to detect if a standard MSDU was turned into an A-MSDU by an adversary. This is done by parsing a received A-MSDU as a standard MSDU, calculating the length of the Mesh Control header, and seeing if the 6 bytes after this header equal the start of an rfc1042 header. If equal, this is a strong indication of an ongoing attack attempt. This defense was tested with mac80211_hwsim against a me
Kernel
wifi: prevent A-MSDU attacks in mesh networks
kernel_security·2025-06-16·CVSS 3.5
CVE-2020-24588 [LOW] wifi: prevent A-MSDU attacks in mesh networks
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prevent the A-MSDU spoofing vulnerability
for mesh networks. The initial update to the IEEE 802.11 standard, in
response to the FragAttacks, missed this case (CVE-2025-27558). It can
be considered a variant of CVE-2020-24588 but for mesh networks.
This patch tries to detect if a standard MSDU was turned into an A-MSDU
by an adversary. This is done by parsing a received A-MSDU as a standard
MSDU, calculating the length of the Mesh Control header, and seeing if
the 6 bytes after this header equal the start of an rfc1042 header. If
equal, this is a strong indication of an ongoing attack attempt.
This defense was tested with mac80211_hwsim against a mesh network that
uses an empty Mesh Address Extension field, i.e.,
GHSA
GHSA-hchj-55px-fgw7: IEEE P802
ghsa_unreviewed·2025-05-21·CVSS 3.5
CVE-2025-27558 [LOW] CWE-345 GHSA-hchj-55px-fgw7: IEEE P802
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.
OSV
CVE-2025-27558: IEEE P802
osv·2025-05-21·CVSS 3.5
CVE-2025-27558 [LOW] CVE-2025-27558: IEEE P802
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.
GHSA
GHSA-qrgr-qfr9-4xfh: The 802
ghsa_unreviewed·2022-05-24
CVE-2020-24588 [MEDIUM] CWE-306 GHSA-qrgr-qfr9-4xfh: The 802
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
Kernel
Merge tag 'wireless-drivers-next-2021-10-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
kernel_security·2021-10-29·CVSS 3.5
CVE-2020-24588 [LOW] Merge tag 'wireless-drivers-next-2021-10-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
Merge tag 'wireless-drivers-next-2021-10-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
Kalle Valo says:
wireless-drivers-next patches for v5.16
Fourth set of patches for v5.16. Mostly fixes this time, wcn36xx and
iwlwifi have some new features but nothing really out of ordinary.
We have one conflict with kspp tree.
Major changes:
ath11k
* fix QCA6390 A-MSDU handling (CVE-2020-24588)
wcn36xx
* enable hardware scan offload for 5Ghz band
* add missing 5GHz channels 136 and 144
iwlwifi
* support a new ACPI table revision
* improvements in the device selection code
* new hardware support
* support for WiFi 6E enablement via BIOS
* support firmware API version 67
* support for 160MHz in ranging measurements
Link: https://lore.kernel.org/r/2021102913470
Kernel
Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
kernel_security·2021-10-28·CVSS 3.5
CVE-2020-24588 [LOW] Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
ath.git patches for v5.16. Major changes:
ath11k
* fix QCA6390 A-MSDU handling (CVE-2020-24588)
wcn36xx
* enable hardware scan offload for 5Ghz band
* add missing 5GHz channels 136 and 144
Kernel
ath11k: change return buffer manager for QCA6390
kernel_security·2021-10-20·CVSS 3.5
CVE-2020-24588 [LOW] ath11k: change return buffer manager for QCA6390
ath11k: change return buffer manager for QCA6390
QCA6390 firmware uses HAL_RX_BUF_RBM_SW1_BM, not HAL_RX_BUF_RBM_SW3_BM. This is
needed to fix a case where an A-MSDU has an unexpected LLC/SNAP header in the
first subframe (CVE-2020-24588).
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Signed-off-by: Baochen Qiang
Signed-off-by: Jouni Malinen
Signed-off-by: Kalle Valo
Link: https://lore.kernel.org/r/[email protected]
OSV
linux-kvm vulnerabilities
osv·2021-06-25·CVSS 3.5
CVE-2021-3609 [LOW] linux-kvm vulnerabilities
linux-kvm vulnerabilities
USN-5000-1 fixed vulnerabilities in the Linux kernel for Ubuntu
20.04 LTS and the Linux HWE kernel for Ubuntu 18.04 LTS. This update
provides the corresponding updates for the Linux KVM kernel for Ubuntu
20.04 LTS.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implement
OSV
linux-oem-5.10 vulnerabilities
osv·2021-06-23·CVSS 3.5
CVE-2021-3609 [LOW] linux-oem-5.10 vulnerabilities
linux-oem-5.10 vulnerabilities
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issue to inject
packets or expose sensitive information. (CVE-2020-24586)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled encrypted fragments. A physically proximate attacker
could possibly use this issue to decrypt fragments. (CVE-2020-24587)
Mathy Vanhoef discovered that the Linux kernel’s
OSV
linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities
osv·2021-06-23·CVSS 3.5
CVE-2021-3609 [LOW] linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities
linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-ra
osv·2021-06-23·CVSS 3.5
CVE-2021-3609 [LOW] linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-ra
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
Kernel
Merge tag 'wireless-drivers-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
kernel_security·2021-06-03·CVSS 3.5
CVE-2020-24588 [LOW] Merge tag 'wireless-drivers-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
Merge tag 'wireless-drivers-2021-06-03' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
wireless-drivers fixes for v5.13
We have only mt76 fixes this time, most important being the fix for
A-MSDU injection attacks.
mt76
* mitigate A-MSDU injection attacks (CVE-2020-24588)
* fix possible array out of bound access in mt7921_mcu_tx_rate_report
* various aggregation and HE setting fixes
* suspend/resume fix for pci devices
* mt7615: fix crash when runtime-pm is not supported
Signed-off-by: David S. Miller
Kernel
mt76: validate rx A-MSDU subframes
kernel_security·2021-05-13·CVSS 3.5
CVE-2020-24588 [LOW] mt76: validate rx A-MSDU subframes
mt76: validate rx A-MSDU subframes
Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
header, and if so dropping the complete A-MSDU frame. This mitigates
known attacks, although new (unknown) aggregation-based attacks may
remain possible.
This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
For details, see Section 7.2 of "Fragment a
Kernel
ath10k: drop MPDU which has discard flag set by firmware for SDIO
kernel_security·2021-05-11·CVSS 3.5
CVE-2020-24588 [LOW] ath10k: drop MPDU which has discard flag set by firmware for SDIO
ath10k: drop MPDU which has discard flag set by firmware for SDIO
When the discard flag is set by the firmware for an MPDU, it should be
dropped. This allows a mitigation for CVE-2020-24588 to be implemented
in the firmware.
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
Cc: [email protected]
Signed-off-by: Wen Gong
Signed-off-by: Jouni Malinen
Link: https://lore.kernel.org/r/20210511200110.11968c725b5c.Idd166365ebea2771c0c0a38c78b5060750f90e17@changeid
Signed-off-by: Johannes Berg
Kernel
mac80211: drop A-MSDUs on old ciphers
kernel_security·2021-05-11·CVSS 3.5
CVE-2020-24588 [LOW] mac80211: drop A-MSDUs on old ciphers
mac80211: drop A-MSDUs on old ciphers
With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs
since A-MSDUs are only supported if we know that they are, and
the only practical way for that is HT support which doesn't
support old ciphers.
However, we would normally accept them anyway. Since we check
the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in
the QoS header is not protected in TKIP (or WEP), this enables
attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs
completely with old ciphers.
Cc: [email protected]
Link: https://lore.kernel.org/r/20210511200110.076543300172.I548e6e71f1ee9cad4b9a37bf212ae7db723587aa@changeid
Signed-off-by: Johannes Berg
OSV
CVE-2020-24588: The 802
osv·2021-05-11·CVSS 3.5
CVE-2020-24588 [LOW] CVE-2020-24588: The 802
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
Kernel
cfg80211: mitigate A-MSDU aggregation attacks
kernel_security·2021-05-11·CVSS 3.5
CVE-2020-24588 [LOW] cfg80211: mitigate A-MSDU aggregation attacks
cfg80211: mitigate A-MSDU aggregation attacks
Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
header, and if so dropping the complete A-MSDU frame. This mitigates
known attacks, although new (unknown) aggregation-based attacks may
remain possible.
This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
For details, see Section 7.2 of
Red Hat
kernel: wifi: prevent A-MSDU attacks in mesh networks
vendor_redhat·2025-08-16·CVSS 3.5
CVE-2025-38512 [LOW] CWE-354 kernel: wifi: prevent A-MSDU attacks in mesh networks
kernel: wifi: prevent A-MSDU attacks in mesh networks
In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prevent the A-MSDU spoofing vulnerability
for mesh networks. The initial update to the IEEE 802.11 standard, in
response to the FragAttacks, missed this case (CVE-2025-27558). It can
be considered a variant of CVE-2020-24588 but for mesh networks.
This patch tries to detect if a standard MSDU was turned into an A-MSDU
by an adversary. This is done by parsing a received A-MSDU as a standard
MSDU, calculating the length of the Mesh Control header, and seeing if
the 6 bytes after this header equal the start of an rfc1042 header. If
equal, this is a strong indication of an ongoing attack attempt.
T
Debian
CVE-2025-38512: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: preve...
vendor_debian·2025·CVSS 3.5
CVE-2025-38512 [LOW] CVE-2025-38512: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: preve...
In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 but for mesh networks. This patch tries to detect if a standard MSDU was turned into an A-MSDU by an adversary. This is done by parsing a received A-MSDU as a standard MSDU, calculating the length of the Mesh Control header, and seeing if the 6 bytes after this header equal the start of an rfc1042 header. If equal, this is a strong indication of an ongoing attack attempt. This defense was tested with mac80211_hwsim against a me
Debian
CVE-2025-27558: linux - IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. I...
vendor_debian·2025·CVSS 3.5
CVE-2025-27558 [LOW] CVE-2025-27558: linux - IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. I...
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.
Scope: local
bookworm: resolved (fixed in 6.1.147-1)
bullseye: open
forky: resolved (fixed in 6.16.3-1)
sid: resolved (fixed in 6.16.3-1)
trixie: resolved (fixed in 6.12.41-1)
CISA ICS
Siemens SCALANCE FragAttacks
cisa_ics·2022-04-14
Siemens SCALANCE FragAttacks
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE FragAttacks
Last RevisedApril 14, 2022
Alert CodeICSA-22-104-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE family devices
- Vulnerabilities: Improper Authentication, Injection, Improper Validation of Integrity Check, Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and traffic manipulation.
## 3. TECHNI
CISA ICS
Mitsubishi Electric GT25-WLAN (Update A)
cisa_ics·2022-04-12·CVSS 3.5
[LOW] Mitsubishi Electric GT25-WLAN (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Mitsubishi Electric GT25-WLAN (Update A)
Last RevisedMay 12, 2022
Alert CodeICSA-22-102-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely
- Vendor: Mitsubishi Electric
- Equipment: Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27
- Vulnerabilities: Improper Removal of Sensitive Information Before Storage or Transfer, Inadequate Encryption Strength, Missing Authentication for Critical Function, Injection, Improper Input Validation
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled IC
BSD
FreeBSD-SA-22:02.wifi: Multiple WiFi issues
bsd_advisories·2022-03-15·CVSS 3.5
CVE-2020-24588 [LOW] FreeBSD-SA-22:02.wifi: Multiple WiFi issues
FreeBSD-SA-22:02.wifi Security Advisory
The FreeBSD Project
Topic: Multiple WiFi issues
Category: core
Module: net80211
Announced: 2022-03-15
Affects: FreeBSD 12.x and FreeBSD 13.0
Corrected: 2021-11-19 00:01:25 UTC (stable/13, 13.0-STABLE)
2022-03-15 17:45:36 UTC (releng/13.0, 13.0-RELEASE-p8)
2022-02-15 16:05:49 UTC (stable/12, 12.3-STABLE)
2022-03-15 18:18:08 UTC (releng/12.3, 12.3-RELEASE-p3)
2022-03-15 18:17:30 UTC (releng/12.2, 12.2-RELEASE-p14)
CVE Name: CVE-2020-26147, CVE-2020-24588, CVE-2020-26144
Note: This issue is already fixed in FreeBSD 13.1-BETA1.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD's net80211 kernel subsystem provi
Android
CVE-2020-24588: WLAN
vendor_android·2021-10-01·CVSS 3.5
CVE-2020-24588 [LOW] CVE-2020-24588: WLAN
Android Security Bulletin 2021-10-01
CVE: CVE-2020-24588
Severity: HIGH
Component: WLAN
References: A-175626624
QC-CR#2866467
*
QC-CR#2867578
*
QC-CR#2867994
QC-CR#2868616
*
QC-CR#2877094
*
QC-CR#2879013
*
QC-CR#2883162
*
QC-CR#2886422
*
QC-CR#2888466
*
QC-CR#2890623
*
QC-CR#2896070
*
QC-CR#2896369
*
QC-CR#2861800
[2]
[3]
[4]
[5]
QC-CR#2943860
*
CISA ICS
Hitachi ABB Power Grids TropOS
cisa_ics·2021-08-24·CVSS 3.5
[LOW] Hitachi ABB Power Grids TropOS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hitachi ABB Power Grids TropOS
Last RevisedAugust 24, 2021
Alert CodeICSA-21-236-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Low attack complexity
- Vendor: Hitachi ABB Power Grids
- Equipment: TropOS
- Vulnerabilities: Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to direct a client that is connected to a TropOS Wi-Fi access point
Ubuntu
Linux kernel (KVM) vulnerabilities
vendor_ubuntu·2021-06-25·CVSS 3.5
CVE-2020-26145 [LOW] Linux kernel (KVM) vulnerabilities
Title: Linux kernel (KVM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-5000-1 fixed vulnerabilities in the Linux kernel for Ubuntu
20.04 LTS and the Linux HWE kernel for Ubuntu 18.04 LTS. This update
provides the corresponding updates for the Linux KVM kernel for Ubuntu
20.04 LTS.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code.
Ubuntu
Linux kernel (KVM) vulnerabilities
vendor_ubuntu·2021-06-25·CVSS 3.5
CVE-2020-26145 [LOW] Linux kernel (KVM) vulnerabilities
Title: Linux kernel (KVM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-4997-1 fixed vulnerabilities in the Linux kernel for Ubuntu 21.04.
This update provides the corresponding updates for the Linux KVM
kernel for Ubuntu 21.04.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the L
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2021-31440 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issu
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2021-31440 [LOW] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issue to inject
packets or expose sensitive information. (CVE-2020-24586)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled encrypted fragments. A physically proximate attacker
could possibly use this issue to decrypt
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2020-26139 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issu
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2021-23134 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issu
Red Hat
kernel: wifi frame payload being parsed incorrectly as an L2 frame
vendor_redhat·2021-05-12·CVSS 3.5
CVE-2020-24588 [LOW] CWE-20 kernel: wifi frame payload being parsed incorrectly as an L2 frame
kernel: wifi frame payload being parsed incorrectly as an L2 frame
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
A flaw was found in the Linux kernels wifi implementation. An attacker within wireless broadcast range can inject custom data into the wireless communication circumventing checks on the data. This can cause the frame to pass checks and be considered a valid frame of a different type.
Mitigation: Mitigation for this issue is either not available or the curre
Microsoft
Windows Wireless Networking Spoofing Vulnerability
vendor_msrc·2021-05-11·CVSS 6.5
CVE-2020-24588 [LOW] Windows Wireless Networking Spoofing Vulnerability
Windows Wireless Networking Spoofing Vulnerability
Windows Wireless Networking: Windows Wireless Networking
MITRE Corporation: MITRE Corporation
Impact: Spoofing
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003174
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003171
Reference: https://support.microsoft.com/help/5003171
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003169
Reference: https://support.microsoft.com/help/5003169
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003173
Reference: https://support.microsoft.com/he
Cisco
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
vendor_cisco·2021-05-11·CVSS 6.5
CVE-2020-24586 [MEDIUM] CWE-345 Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame fragmentation functionality, and the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge encrypted frames, which could in turn enable the exfiltration of sensitive data from a targeted device.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link
Debian
CVE-2020-24588: firmware-nonfree - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) ...
vendor_debian·2020·CVSS 3.5
CVE-2020-24588 [LOW] CVE-2020-24588: firmware-nonfree - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) ...
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
Scope: local
bookworm: resolved (fixed in 20210818-1)
bullseye: open
forky: resolved (fixed in 20210818-1)
sid: resolved (fixed in 20210818-1)
trixie: resolved (fixed in 20210818-1)
Cisco
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
vendor_cisco·CVSS 3.1
CVE-2020-24588 Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
CVE-2020-24588: Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame fragmentation functionality, and the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge encrypted frames, which could in turn enable the exfiltration of sensitive data from a targeted device. This advisory will be updated as additional information becomes available. This advisory is available at the
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-38512 kernel: wifi: prevent A-MSDU attacks in mesh networks
bugzilla·2025-08-26·CVSS 3.5
CVE-2025-38512 [LOW] CVE-2025-38512 kernel: wifi: prevent A-MSDU attacks in mesh networks
CVE-2025-38512 kernel: wifi: prevent A-MSDU attacks in mesh networks
In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prevent the A-MSDU spoofing vulnerability
for mesh networks. The initial update to the IEEE 802.11 standard, in
response to the FragAttacks, missed this case (CVE-2025-27558). It can
be considered a variant of CVE-2020-24588 but for mesh networks.
This patch tries to detect if a standard MSDU was turned into an A-MSDU
by an adversary. This is done by parsing a received A-MSDU as a standard
MSDU, calculating the length of the Mesh Control header, and seeing if
the 6 bytes after this header equal the start of an rfc1042 header. If
equal, this is a strong indication of an ongoing
HackerOne
Fragmentation and Aggregation Flaws in Wi-Fi
hackerone·2021-07-23·CVSS 5.3
CVE-2020-26140 [MEDIUM] Fragmentation and Aggregation Flaws in Wi-Fi
Fragmentation and Aggregation Flaws in Wi-Fi
I discovered three design flaws in the Wi-Fi standard and widespread related implementation flaws ([see GitHub overview and test tool](https://github.com/vanhoefm/fragattacks#fragattacks-fragmentation--aggregation-attacks)). **Here I'll specifically cover open source software**. These findings have not received bug bounties from other sources.
# Implementation flaws allowing trivial packet injection
- [CVE-2020-26140](https://nvd.nist.gov/vuln/detail/CVE-2020-26140): Accepting plaintext data frames in a protected network. This allows trivial packet injection. On a Linux client, the AWUS036H network card is vulnerable and two out of four Linux-based **home routers** were vulnerable. On **NetBSD access points**, three out of four tested networ
Qualys
Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
blogs_qualys·2021-05-11·CVSS 9.9
CVE-2021-31181 [CRITICAL] Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
## Microsoft Patch Tuesday – May 2021
Microsoft patched 55 CVEs in their May 2021 Patch Tuesday release, of which 4 are rated as critical severity. Three 0-day vulnerability patches were included in the release. As of this publication date, none have been exploited.
Qualys released 12 QIDs on the same day, providing vulnerability detection and patch management coverage (where applicable) for all 55 CVEs and the related KBs.
## Critical Microsoft vulnerabilities patched:
CVE-2021-31181 – SharePoint Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.
CVE-2021-31166 – HTTP Protocol Stack Remote Code
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2021 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
http://www.openwall.com/lists/oss-security/2021/05/11/12https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdfhttps://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.mdhttps://lists.debian.org/debian-lts-announce/2021/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2021/06/msg00020.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00002.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWuhttps://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63https://www.fragattacks.comhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.htmlhttp://www.openwall.com/lists/oss-security/2021/05/11/12https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdfhttps://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.mdhttps://lists.debian.org/debian-lts-announce/2021/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2021/06/msg00020.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00002.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWuhttps://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63https://www.fragattacks.comhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-019200.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-913875.html
2021-05-11
Published