Out-of-Bounds Write Vulnerability in hostapd Wi-Fi 7 by Hostap
CVE-2026-58374

6.5MEDIUM

Key Information:

Vendor

W1.fi

Status
Hostapd
Vendor
CVE Published:
30 June 2026

What is CVE-2026-58374?

An out-of-bounds write vulnerability has been identified in hostapd prior to version 2.12, specifically in the processing of Multi-Link Operation (MLO) association requests. This flaw arises from a missing bounds check, allowing an unauthenticated attacker within wireless range to send a crafted management frame. The vulnerability can lead to memory corruption and result in denial of service by terminating the hostapd process. This issue affects hostapd versions 2.11 and development snapshots built with CONFIG_IEEE80211BE enabled, and it has been addressed in version 2.12.

Affected Version(s)

hostapd 0 < 2.12

References

https://w1.fi/security/2026-1/missing-ml-parsing-validati...
vendor-advisory
https://w1.fi/security/2026-1/
vendor-advisorypatch
https://git.w1.fi/cgit/hostap/commit/?id=46dd5a4ffc9bcf44...
patch

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.