CVE-2022-23303 — Observable Discrepancy in Hostapd

CWE-203 — Observable Discrepancy CWE-924 — Improper Enforcement of Message Integrity During Transmission in a Communication Channel9 documents8 sources

Severity

9.8CRITICALNVD

CNA5.9OSV5.9

EPSS

0.3%

top 44.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

W1.fi Hostapd W1.fi WPA Supplicant Fedoraproject Fedora

Timeline

PublishedJan 17

Latest updateMar 3

Description

The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDw1.fi/hostapd< 2.10

▶NVDw1.fi/wpa_supplicant< 2.10

Also affects: Fedora 35

Patches

Patch: w1.fi ↗Patch: w1.fi ↗

🔴Vulnerability Details

OSV

wpa vulnerabilities↗2025-03-03

▶

GHSA

GHSA-8v55-rm6p-87p5: The implementations of SAE in hostapd before 2↗2022-02-15

▶

OSV

CVE-2022-23303: The implementations of SAE in hostapd before 2↗2022-01-17

▶

CVEList

CVE-2022-23303: The implementations of SAE in hostapd before 2↗2022-01-17

▶

📋Vendor Advisories

Ubuntu

wpa_supplicant and hostapd vulnerabilities↗2025-03-03

▶

Red Hat

wpa_supplicant: SAE side channel attacks as a result of cache access patterns↗2022-01-17

▶

Microsoft

▶

Debian

CVE-2022-23303: wpa - The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10...↗2022

▶