VYPR

hostapd

by Hostap

CVEs (6)

  • CVE-2019-10064HigFeb 28, 2020
    risk 0.49cvss 7.5epss 0.04

    hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

  • CVE-2016-10743HigMar 23, 2019
    risk 0.49cvss 7.5epss 0.02

    hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.

  • CVE-2022-37660MedFeb 11, 2025
    risk 0.42cvss 6.5epss 0.00

    In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public…

  • CVE-2019-13377MedAug 15, 2019
    risk 0.39cvss 5.9epss 0.02

    The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information…

  • CVE-2019-11555MedApr 26, 2019
    risk 0.39cvss 5.9epss 0.03

    The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragment could be received. This could result in process termination due to a NULL…

  • CVE-2025-24912LowMar 12, 2025
    risk 0.24cvss 3.7epss 0.01

    hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.