Buffer Overflow in hostapd Wi-Fi 7 MLO Association Request

Executive Summary

This vulnerability exists in hostapd versions before 2.12 when built with Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) support enabled. It is caused by a missing bounds check in the processing of association requests in AP mode. Specifically, the function hostapd_process_ml_assoc_req() can parse a link_id value of 15, but the internal storage only supports link IDs from 0 to 14. This leads to an out-of-bounds write and small memory corruption during association processing.

An unauthenticated attacker within wireless range can exploit this by sending a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. The attack does not require any network credentials, prior authentication, or user interaction.

The confirmed practical impact is denial of service through termination of the hostapd process. The vulnerability affects hostapd v2.11 and newer snapshots before v2.12 with CONFIG_IEEE80211BE enabled. It has been fixed in hostapd v2.12.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by an attacker within wireless range to cause denial of service on the affected hostapd access point. By sending a specially crafted management frame, the attacker can trigger an out-of-bounds write leading to memory corruption and ultimately cause the hostapd process to terminate.

Since the attack does not require authentication or user interaction, it can be performed by any nearby attacker, potentially disrupting wireless network availability.

The impact is primarily denial of service; exploitation for further attacks beyond process termination and minor memory corruption is considered unlikely.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unexpected hostapd process terminations or crashes, which may indicate exploitation attempts involving malformed Multi-Link Element or Per-STA Profile subelements in association requests.

Since the attack involves crafted management frames sent by unauthenticated attackers within wireless range, network administrators can use wireless packet capture tools (e.g., Wireshark or tcpdump) to analyze association request frames for malformed Multi-Link Elements or Per-STA Profile subelements with invalid link_id values (such as 15).

Specific commands to capture and analyze such frames include:

• Use tcpdump to capture Wi-Fi management frames on the wireless interface (replace wlan0 with your interface): tcpdump -i wlan0 type mgt subtype assoc-req -w capture.pcap
• Open the capture.pcap file in Wireshark and filter for Multi-Link Element or Per-STA Profile subelements in association requests to inspect for malformed or out-of-bounds link_id values.
• Monitor system logs for hostapd crashes or abnormal terminations which may indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update hostapd to version 2.12 or newer, where this vulnerability has been fixed.

If immediate upgrading is not possible, apply the specific upstream patches that address missing link ID validation, bounds checking, and length verification in multi-link parsing as described in the security advisory.

Additionally, ensure that hostapd is built with the CONFIG_IEEE80211BE option properly validated and consider disabling Wi-Fi 7 / MLO AP mode if it is not required, to reduce exposure.

Monitoring for suspicious association requests and hostapd process stability can also help detect exploitation attempts while mitigation is in progress.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in hostapd allows an unauthenticated attacker within wireless range to cause denial of service by terminating the hostapd process through crafted management frames. It does not involve unauthorized access to data, credential compromise, or information disclosure.

Since the confirmed impact is limited to denial of service and minor memory corruption without data breach or integrity compromise, the vulnerability itself does not directly imply non-compliance with data protection regulations such as GDPR or HIPAA.

However, denial of service affecting network availability could indirectly impact compliance if it disrupts critical services or availability requirements mandated by such standards.

Useful 0 Not Useful 0