CVE-2025-24912: hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the...

3.7 CVSS

Description

hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.

Classification

CVE ID: CVE-2025-24912

CVSS Base Severity: LOW

CVSS Base Score: 3.7

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem Types

Premature Release of Resource During Expected Lifetime

Affected Products

Vendor: Jouni Malinen

Product: hostapd

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.26% (probability of being exploited)

EPSS Percentile: 46.83% (scored less or equal to compared to others)

EPSS Date: 2025-04-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-24912
https://w1.fi/hostapd/
https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44
https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109
https://jvn.jp/en/jp/JVN19358384/

Timeline

2025-03-12 05:40:10 UTC
CVE

hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the...
2025-03-22 13:15:38 UTC
Tenable Plugins

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : wpa_supplicant (SUSE-SU-2025:0977-1)
2025-04-14 06:00:43 UTC
Tenable Plugins

CBL Mariner 2.0 Security Update: wpa_supplicant (CVE-2025-24912)
2025-04-17 11:30:39 UTC
Tenable Plugins

Azure Linux 3.0 Security Update: wpa_supplicant (CVE-2025-24912)