CVE-2026-58374
published 2026-06-30CVE-2026-58374: In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an…
PriorityP427medium6.5CVSS 3.1
AVAACLPRNUINSUCNINAH
In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| w1.fi | hostapd | < 2.12 | 2.12 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
w1.fi hostapd up to 2.11 hostapd_process_ml_assoc_req links[] off-by-one
vuldb·2026-06-30·CVSS 6.5
CVE-2026-58374 [MEDIUM] w1.fi hostapd up to 2.11 hostapd_process_ml_assoc_req links[] off-by-one
A vulnerability was found in w1.fi hostapd up to 2.11. It has been declared as critical. The affected element is the function hostapd_process_ml_assoc_req. Executing a manipulation of the argument links[] can lead to off-by-one.
This vulnerability is tracked as CVE-2026-58374. The attack is only possible within the local network. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to
ghsa_unreviewed·2026-06-30
CVE-2026-58374 [MEDIUM] CWE-193 In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to
In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd proc
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://git.w1.fi/cgit/hostap/commit/?id=46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187https://git.w1.fi/cgit/hostap/commit/?id=aa9d345887389a251c63a3781d2ad2940d079193https://w1.fi/security/2026-1/https://w1.fi/security/2026-1/missing-ml-parsing-validation.txthttps://www.openwall.com/lists/oss-security/2026/06/30/1
2026-06-30
Published