Buffer overflow in W1.fi Hostapd

CVE-2015-4141

The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an…

Vulnerability class: Buffer Overflow

EPSS: 0.015 (81.2th percentile) — read the EPSS interpretation.

Affected products

W1.fi Hostapd — versions 0.7.0, 0.7.1, 0.7.2
W1.fi Wpa_supplicant — versions 0.7.0, 0.7.1, 0.7.2
Opensuse — versions 13.1, 13.2
N/a — versions n/a

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

References

[oss-security] 20150531 Re: CVE request: vulnerability in wpa_supplicant and hostapd (mailing-list, x_refsource_MLIST, Mailing List)
DSA-3397 (vendor-advisory, x_refsource_DEBIAN)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
GLSA-201606-17 (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)
USN-2650-1 (x_refsource_UBUNTU, vendor-advisory)
openSUSE-SU-2015:1030 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
[oss-security] 20150509 CVE request: hostapd/wpa_supplicant - WPS UPnP vulnerability with HTTP chunked transfer encoding (mailing-list, x_refsource_MLIST, Mailing List)