In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.
History

Fri, 10 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Title hostapd: hostapd: Denial of Service via malformed Wi-Fi 7 Multi-Link Operation association request
Weaknesses CWE-787
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in hostapd Multi‑Link Operation Association Request Causes Denial of Service

Tue, 30 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in hostapd Multi‑Link Operation Association Request Causes Denial of Service

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.
First Time appeared W1.fi
W1.fi hostapd
Weaknesses CWE-193
CPEs cpe:2.3:a:w1.fi:hostapd:*:*:*:*:*:*:*:*
Vendors & Products W1.fi
W1.fi hostapd
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-30T12:35:54.440Z

Updated: 2026-06-30T13:38:26.434Z

Reserved: 2026-06-30T12:35:53.986Z

Link: CVE-2026-58374

cve-icon Vulnrichment

Updated: 2026-06-30T13:38:22.191Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T12:35:54Z

Links: CVE-2026-58374 - Bugzilla