Denial of Service Vulnerability in Hostapd and Wpa_supplicant by Vendor A
CVE-2019-11555

5.9MEDIUM

Key Information:

Vendor

W1.fi

Status
Hostapd
WPa Supplicant
Vendor
CVE Published:
26 April 2019

What is CVE-2019-11555?

The EAP-pwd implementation in hostapd and wpa_supplicant prior to version 2.8 is vulnerable to a denial of service attack due to improper handling of fragmentation reassembly state. Specifically, the software fails to validate the state when an unexpected fragment is received, which can lead to a process termination from a NULL pointer dereference. This issue affects critical components of both hostapd and wpa_supplicant, potentially disrupting service and impacting network security.

References

https://www.openwall.com/lists/oss-security/2019/04/18/6
x_refsource_MISC
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-...
x_refsource_MISC
https://w1.fi/security/2019-5/
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.