CVE-2015-5314
Description
EAP-pwd missing last fragment length check in hostapd 2.0-2.5 allows remote denial of service via crafted fragment.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EAP-pwd missing last fragment length check in hostapd 2.0-2.5 allows remote denial of service via crafted fragment.
Vulnerability
The vulnerability resides in the eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd versions 2.0 through 2.5. When an incoming EAP-pwd message is fragmented, the reassembly buffer length validation is performed for all fragments except the last one. This oversight allows a specially crafted final fragment to attempt to write extra data beyond the allocated buffer. The internal wpabuf_put_data() function prevents a buffer overflow but causes the process to terminate, resulting in a denial of service. The issue is present only when EAP-pwd is enabled in the runtime configuration (for hostapd as an internal EAP server or as a RADIUS server) and when building with CONFIG_EAP_PWD=y [1][2].
Exploitation
An attacker within radio range of an access point (AP) can send a series of fragmented EAP-pwd messages where the last fragment’s length exceeds the remaining reassembly buffer capacity. No authentication is required; the attacker only needs the ability to transmit 802.11 frames containing the malicious EAP-pwd fragment. For hostapd acting as an internal EAP server or as a RADIUS server with EAP-pwd enabled, the crafted last fragment triggers the missing length check, leading to process termination [1][2]. No user interaction or special privileges are needed.
Impact
Successful exploitation causes the hostapd process (or, in the case of wpa_supplicant, the corresponding supplicant process) to terminate abnormally. This results in a denial of service for all clients relying on that hostapd instance for authentication. For a RADIUS server configuration, the impact extends to any AP authorized to use that server. The attack does not enable code execution or information disclosure; the outcome is strictly a crash and loss of availability [1][2].
Mitigation
Hostapd versions 2.6 and later contain the fix. Patches were also made available by merging the commits "EAP-pwd peer: Fix last fragment length validation" and "EAP-pwd server: Fix last fragment length validation" from the w1.fi repository [2]. If upgrading is not immediately possible, removing CONFIG_EAP_PWD=y from the build configuration and disabling EAP-pwd in runtime configuration eliminates the attack surface. This vulnerability is not known to be listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- www.ubuntu.com/usn/USN-2808-1mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2015/dsa-3397mitrevendor-advisoryx_refsource_DEBIAN
- w1.fi/security/2015-7/eap-pwd-missing-last-fragment-length-validation.txtmitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2015/11/10/10mitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.