{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24912", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2025-01-28T07:05:59.180Z", "datePublished": "2025-03-12T04:43:54.870Z", "dateUpdated": "2025-03-12T13:21:59.254Z"}, "containers": {"cna": {"affected": [{"vendor": "Jouni Malinen", "product": "hostapd", "versions": [{"version": "2.11 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail."}], "problemTypes": [{"descriptions": [{"description": "Premature Release of Resource During Expected Lifetime", "lang": "en-US", "cweId": "CWE-826", "type": "CWE"}]}], "references": [{"url": "https://w1.fi/hostapd/"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109"}, {"url": "https://jvn.jp/en/jp/JVN19358384/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2025-03-12T04:43:54.870Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T13:21:52.296145Z", "id": "CVE-2025-24912", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:21:59.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T13:21:52.296145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:21:56.027Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Jouni Malinen", "product": "hostapd", "versions": [{"status": "affected", "version": "2.11 and earlier"}]}], "references": [{"url": "https://w1.fi/hostapd/"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109"}, {"url": "https://jvn.jp/en/jp/JVN19358384/"}], "descriptions": [{"lang": "en", "value": "hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-826", "description": "Premature Release of Resource During Expected Lifetime"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2025-03-12T04:43:54.870Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24912", "state": "PUBLISHED", "dateUpdated": "2025-03-12T13:21:59.254Z", "dateReserved": "2025-01-28T07:05:59.180Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2025-03-12T04:43:54.870Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:w1.fi:hostapd:*:*:*:*:*:*:*:*", "matchCriteriaId": "2634D924-B17C-47D4-B6DE-F69736D79E54", "versionEndIncluding": "2.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail."}, {"lang": "es", "value": "hostapd no procesa correctamente los paquetes RADIUS manipulados. Cuando hostapd autentica dispositivos Wi-Fi con autenticaci\u00f3n RADIUS, un atacante ubicado entre hostapd y el servidor RADIUS podr\u00eda inyectar paquetes RADIUS manipulados y forzar el fallo de las autenticaciones RADIUS."}], "id": "CVE-2025-24912", "lastModified": "2025-10-24T18:40:03.117", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2025-03-12T05:15:37.430", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN19358384/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Patch"], "url": "https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109"}, {"source": "vultures@jpcert.or.jp", "tags": ["Patch"], "url": "https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44"}, {"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://w1.fi/hostapd/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-826"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{"bugzilla": {"description": "hostapd: RADIUS Packet Processing Flaw in hostapd", "id": "2351487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351487"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-826", "details": ["hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.", "A flaw was found in hostapd. This vulnerability can allow an attacker to force RADIUS authentications to fail via crafted RADIUS packets injected between hostapd and the RADIUS server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-24912", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "hostapd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "hostapd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "hostapd", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-12T04:43:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24912\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24912\nhttps://jvn.jp/en/jp/JVN19358384/\nhttps://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109\nhttps://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44\nhttps://w1.fi/hostapd/"], "threat_severity": "Low"}