CVE-2026-58374
NixOS Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-58374 is an out-of-bounds write (off-by-one error) vulnerability in hostapd's Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing. An unauthenticated attacker within wireless range can send a crafted management frame with a malformed Multi-Link Element or Per-STA Profile subelement to crash the hostapd process. The vulnerability affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. It was reported to upstream on 2026-05-14, with the upstream security advisory published on 2026-06-05 and public disclosure on 2026-06-30. It carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, oss-security).

Detalhes técnicos

The root cause is a missing bounds check (CWE-193: Off-by-one Error) in hostapd_process_ml_assoc_req() within src/ap/ieee802_11_eht.c. The link_id field is masked with 0x000f, allowing values 0–15, but the links[] array only has valid entries for link IDs 0 through 14 (MAX_NUM_MLD_LINKS=15). A crafted Per-STA Profile subelement with link_id=15 causes an out-of-bounds write into memory adjacent to the links[] array during association processing — critically, this occurs before the 4-way handshake, requiring no credentials or prior authentication. The attack vector is adjacent network (wireless radio range), with low complexity and no user interaction required (oss-security, GitHub Advisory).

Impacto

The confirmed practical impact is denial of service through termination of the hostapd process, which would disrupt Wi-Fi access point functionality for all connected clients. The out-of-bounds write also causes small memory corruption, though no confidentiality or integrity impact has been confirmed beyond the DoS. There is no evidence of lateral movement potential or data exposure risk associated with this vulnerability in its current known exploitation scope (GitHub Advisory, oss-security).

Etapas de exploração

  1. Reconnaissance: Identify a target Wi-Fi 7 (IEEE 802.11be) access point running hostapd v2.11 or a pre-v2.12 development snapshot with CONFIG_IEEE80211BE enabled, using wireless scanning tools (e.g., iw, airodump-ng) to detect MLD-capable APs advertising Multi-Link Operation capabilities.
  2. Craft malicious association request: Construct a raw IEEE 802.11 management frame (association request) containing a Multi-Link Element with a Per-STA Profile subelement where the link_id field is set to 15 (0x0F), which passes the 0x000f mask check but exceeds the valid links[] array bounds.
  3. Transmit the frame: Using a Wi-Fi adapter capable of raw frame injection (e.g., with scapy or a custom 802.11be-aware tool), transmit the crafted association request frame to the target AP while within wireless radio range — no prior association or credentials are required.
  4. Trigger out-of-bounds write: The hostapd process parses the malformed frame in hostapd_process_ml_assoc_req(), writes to links[15] (out-of-bounds), causing memory corruption and process termination, resulting in denial of service for all clients on the affected AP (oss-security, GitHub Advisory).

Indicadores de compromisso

  • Logs: Unexpected hostapd process crash or restart entries in system logs (e.g., syslog, journalctl); hostapd log entries showing association request processing from an unknown MAC address immediately before process termination; kernel messages indicating memory corruption or segmentation fault from the hostapd process.
  • Network: Repeated IEEE 802.11 association request frames from a single or spoofed MAC address targeting the AP's MLD BSSID; unusual management frame traffic on Wi-Fi 7 channels with malformed Multi-Link Elements detectable via wireless packet capture (e.g., Wireshark with 802.11be dissectors).
  • Process: Sudden termination and restart of the hostapd daemon; core dump files generated by hostapd in the working directory or /var/crash/.

Mitigação e soluções alternativas

The primary remediation is to upgrade hostapd to version 2.12 or apply the upstream 2026-1 security fixes (commits 46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187 and aa9d345887389a251c63a3781d2ad2940d079193). As a workaround, operators who do not require Wi-Fi 7 MLO functionality can rebuild hostapd without CONFIG_IEEE80211BE to eliminate the vulnerable code path entirely. Additional mitigations include restricting physical wireless access through network segmentation and applying strong authentication for management interfaces (oss-security, GitHub Advisory).

Reações da comunidade

The vulnerability was independently discovered and reported by two researchers: Sebastián Alba Vives (credited in the upstream advisory) and Abhinav Agarwal (who also reported it and disclosed it on the oss-security mailing list). The upstream hostapd maintainer published a security advisory (2026-1) and patches promptly. Community reaction has been measured given the Medium severity rating, lack of public exploit, and the requirement for physical wireless proximity (oss-security).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado NixOS Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-14241CRITICAL9.8
  • NixOS logoNixOS
  • cpe:2.3:a:mozilla:firefox
NãoNãoJun 30, 2026
CVE-2026-58016CRITICAL9.1
  • NixOS logoNixOS
  • glib2
NãoSimJun 30, 2026
CVE-2026-58014HIGH8.6
  • NixOS logoNixOS
  • glib2
NãoSimJun 30, 2026
CVE-2026-58015HIGH7.5
  • NixOS logoNixOS
  • glib2-fam
NãoSimJun 30, 2026
CVE-2026-58374HIGH7.1
  • NixOS logoNixOS
  • hostapd
NãoNãoJun 30, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades