
PEACH
Uma estrutura de isolamento de inquilino
CVE-2026-58374 is an out-of-bounds write (off-by-one error) vulnerability in hostapd's Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing. An unauthenticated attacker within wireless range can send a crafted management frame with a malformed Multi-Link Element or Per-STA Profile subelement to crash the hostapd process. The vulnerability affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. It was reported to upstream on 2026-05-14, with the upstream security advisory published on 2026-06-05 and public disclosure on 2026-06-30. It carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, oss-security).
The root cause is a missing bounds check (CWE-193: Off-by-one Error) in hostapd_process_ml_assoc_req() within src/ap/ieee802_11_eht.c. The link_id field is masked with 0x000f, allowing values 0–15, but the links[] array only has valid entries for link IDs 0 through 14 (MAX_NUM_MLD_LINKS=15). A crafted Per-STA Profile subelement with link_id=15 causes an out-of-bounds write into memory adjacent to the links[] array during association processing — critically, this occurs before the 4-way handshake, requiring no credentials or prior authentication. The attack vector is adjacent network (wireless radio range), with low complexity and no user interaction required (oss-security, GitHub Advisory).
The confirmed practical impact is denial of service through termination of the hostapd process, which would disrupt Wi-Fi access point functionality for all connected clients. The out-of-bounds write also causes small memory corruption, though no confidentiality or integrity impact has been confirmed beyond the DoS. There is no evidence of lateral movement potential or data exposure risk associated with this vulnerability in its current known exploitation scope (GitHub Advisory, oss-security).
CONFIG_IEEE80211BE enabled, using wireless scanning tools (e.g., iw, airodump-ng) to detect MLD-capable APs advertising Multi-Link Operation capabilities.link_id field is set to 15 (0x0F), which passes the 0x000f mask check but exceeds the valid links[] array bounds.scapy or a custom 802.11be-aware tool), transmit the crafted association request frame to the target AP while within wireless radio range — no prior association or credentials are required.hostapd_process_ml_assoc_req(), writes to links[15] (out-of-bounds), causing memory corruption and process termination, resulting in denial of service for all clients on the affected AP (oss-security, GitHub Advisory).syslog, journalctl); hostapd log entries showing association request processing from an unknown MAC address immediately before process termination; kernel messages indicating memory corruption or segmentation fault from the hostapd process.hostapd daemon; core dump files generated by hostapd in the working directory or /var/crash/.The primary remediation is to upgrade hostapd to version 2.12 or apply the upstream 2026-1 security fixes (commits 46dd5a4ffc9bcf44cf8fc45120b3e1e5ec922187 and aa9d345887389a251c63a3781d2ad2940d079193). As a workaround, operators who do not require Wi-Fi 7 MLO functionality can rebuild hostapd without CONFIG_IEEE80211BE to eliminate the vulnerable code path entirely. Additional mitigations include restricting physical wireless access through network segmentation and applying strong authentication for management interfaces (oss-security, GitHub Advisory).
The vulnerability was independently discovered and reported by two researchers: Sebastián Alba Vives (credited in the upstream advisory) and Abhinav Agarwal (who also reported it and disclosed it on the oss-security mailing list). The upstream hostapd maintainer published a security advisory (2026-1) and patches promptly. Community reaction has been measured given the Medium severity rating, lack of public exploit, and the requirement for physical wireless proximity (oss-security).
Origem: Este relatório foi gerado usando IA
Avaliação de vulnerabilidade gratuita
Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.
Marque uma demonstração personalizada
"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."