W1.Fi Hostapd vulnerabilities

CVE-2025-24912 [LOW] CWE-826 CVE-2025-24912: hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices w hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.

CVE-2022-37660 [MEDIUM] CWE-323 CVE-2022-37660: In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the capture

CVE-2022-23304 [CRITICAL] CVE-2022-23304: The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9495.

CVE-2022-23303 [CRITICAL] CVE-2022-23303: The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to s The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494.

CVE-2021-30004 [MEDIUM] CWE-20 CVE-2021-30004: In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.

CVE-2020-12695 [HIGH] CWE-276 CVE-2020-12695: The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

CVE-2019-10064 [HIGH] CVE-2019-10064: hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions w hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

CVE-2019-5061 [MEDIUM] CWE-440 CVE-2019-5061: An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could tr An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking alr

CVE-2019-5062 [MEDIUM] CWE-440 CVE-2019-5062: An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hos An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.

CVE-2019-16275 [MEDIUM] CWE-346 CVE-2019-16275: hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service that should have been prevented by PMF (aka management frame protection). The attacker must send a crafted 802.11 frame from a location that is within the

CVE-2019-13377 [MEDIUM] CWE-203 CVE-2019-13377: The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.

CVE-2019-11555 [MEDIUM] CWE-476 CVE-2019-11555: The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2 The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL pointer dereference (denial of service). This affects eap_server/eap_server_

CVE-2019-9497 [HIGH] CWE-301 CVE-2019-9497: The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit. This vulnerability may allow an attacker to complete EAP-PWD authentication without knowing the password. However, unless the crypto library does not implement additional checks for the EC point, the attacker

CVE-2019-9499 [HIGH] CWE-346 CVE-2019-9499: The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missi The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supp

CVE-2019-9496 [HIGH] CWE-642 CVE-2019-9496: An invalid authentication sequence could result in the hostapd process terminating due to missing st An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with

CVE-2019-9498 [HIGH] CWE-346 CVE-2019-9498: The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing ex The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or lea

CVE-2019-9494 [MEDIUM] CWE-208 CVE-2019-9494: The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side channel attacks as a result of observable timing differences and cache access patterns. An attacker may be able to gain leaked information from a side channel attack that can be used for full password recovery. Both hostapd with SAE support and wpa_supplicant with SAE supp

CVE-2019-9495 [LOW] CWE-524 CVE-2019-9495: The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache.

CVE-2016-10743 [HIGH] CWE-332 CVE-2016-10743: hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() fu hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.

CVE-2017-13082 [HIGH] CWE-323 CVE-2017-13082: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwi Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.