CVE-2019-9496

HIGH7.5EPSS 4.9%

Published: 4/17/2019Modified: 4/28/2026

Description

An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode. All version of hostapd with SAE support are vulnerable. An attacker may force the hostapd process to terminate, performing a denial of service attack. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.7 are affected.

Affected packages (2)

Alpine/hostapdfrom 0, < 2.8-r0
Debian/wpafrom 0, < 2:2.7+git20190128+0c1e29f-4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-9496
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-9496