Bug 2498948 - CVE-2026-58374 dcm2niix: hostapd: Denial of Service via malformed Wi-Fi 7 Multi-Link Operation association request [fedora-all]
Summary: CVE-2026-58374 dcm2niix: hostapd: Denial of Service via malformed Wi-Fi 7 Mul...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: dcm2niix
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Ankur Sinha (FranciscoD)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["ec2e3662-3a00-407f-8270-e...
Depends On:
Blocks: CVE-2026-58374
TreeView+ depends on / blocked
 
Reported: 2026-07-10 09:41 UTC by Dhananjay Arunesh
Modified: 2026-07-10 19:54 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-07-10 19:54:27 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2026-07-10 09:41:57 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

In hostapd before 2.12, a missing bounds check in AP-mode Wi-Fi 7 (IEEE 802.11be) Multi-Link Operation (MLO) association request processing allows an unauthenticated attacker within wireless range to send a crafted management frame containing a malformed Multi-Link Element or Per-STA Profile subelement. In hostapd_process_ml_assoc_req() in src/ap/ieee802_11_eht.c, the received link_id field can be parsed as value 15, but the corresponding links[] storage only has valid entries for lower link IDs (0 through 14). This causes an out-of-bounds write / small memory corruption during association processing before the 4-way handshake. The attack does not require network credentials, prior authentication, or user interaction. The confirmed practical impact is denial of service through hostapd process termination. This affects hostapd v2.11 and newer development snapshots before v2.12 when built with CONFIG_IEEE80211BE enabled. The issue is fixed in hostapd v2.12 and the upstream 2026-1 fixes.

Comment 1 Ben Beasley 2026-07-10 19:54:27 UTC
Only a base64 implementation is copied from hostapd, so this doesn’t apply.


Note You need to log in before you can comment on or make changes to this bug.