VDB
DEBIAN-CVE-2022-37660
DEBIAN-CVE-2022-37660
PUBLISHED
CVSS 6.5 MEDIUM
In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | wpa | 0, 0, 0 |
| Debian:11 | wpa | *, 0, 2.9.0-21 |
| Debian:12 | wpa | 2:2.10-12+deb12u2, 2:2.10-12, 2:2.10-12+deb12u1 |
| Debian:13 | wpa | 0, 0, 0 |
Timeline
- Feb 11, 2025 CVE Published
- Apr 28, 2026 CVE Updated