{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24912", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2025-01-28T07:05:59.180Z", "datePublished": "2025-03-12T04:43:54.870Z", "dateUpdated": "2025-03-12T13:21:59.254Z"}, "containers": {"cna": {"affected": [{"vendor": "Jouni Malinen", "product": "hostapd", "versions": [{"version": "2.11 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail."}], "problemTypes": [{"descriptions": [{"description": "Premature Release of Resource During Expected Lifetime", "lang": "en-US", "cweId": "CWE-826", "type": "CWE"}]}], "references": [{"url": "https://w1.fi/hostapd/"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109"}, {"url": "https://jvn.jp/en/jp/JVN19358384/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2025-03-12T04:43:54.870Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T13:21:52.296145Z", "id": "CVE-2025-24912", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:21:59.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T13:21:52.296145Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:21:56.027Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Jouni Malinen", "product": "hostapd", "versions": [{"status": "affected", "version": "2.11 and earlier"}]}], "references": [{"url": "https://w1.fi/hostapd/"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44"}, {"url": "https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109"}, {"url": "https://jvn.jp/en/jp/JVN19358384/"}], "descriptions": [{"lang": "en", "value": "hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-826", "description": "Premature Release of Resource During Expected Lifetime"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2025-03-12T04:43:54.870Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24912", "state": "PUBLISHED", "dateUpdated": "2025-03-12T13:21:59.254Z", "dateReserved": "2025-01-28T07:05:59.180Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2025-03-12T04:43:54.870Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail."}], "id": "CVE-2025-24912", "lastModified": "2025-03-12T05:15:37.430", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2025-03-12T05:15:37.430", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN19358384/"}, {"source": "vultures@jpcert.or.jp", "url": "https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109"}, {"source": "vultures@jpcert.or.jp", "url": "https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44"}, {"source": "vultures@jpcert.or.jp", "url": "https://w1.fi/hostapd/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-826"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{"bugzilla": {"description": "hostapd: RADIUS Packet Processing Flaw in hostapd", "id": "2351487", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351487"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-826", "details": ["hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.", "A flaw was found in hostapd. This vulnerability can allow an attacker to force RADIUS authentications to fail via crafted RADIUS packets injected between hostapd and the RADIUS server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-24912", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "hostapd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "hostapd", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-12T04:43:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24912\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24912\nhttps://jvn.jp/en/jp/JVN19358384/\nhttps://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109\nhttps://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44\nhttps://w1.fi/hostapd/"], "threat_severity": "Low"}