CVE-2016-4476

Published: May 9, 2016Modified: May 6, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.

Affected (5)

Products: W1.fi: Hostapd, Wpa Supplicant · Canonical: Ubuntu Linux

2 products

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
W1.fi Hostapd	From 0.6.7 to 2.5
W1.fi Wpa Supplicant	From 0.6.7 to 2.5

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 17.04

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

http://www.openwall.com/lists/oss-security/2016/05/03/12

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.ubuntu.com/usn/USN-3455-1

Source: cve@mitre.org

Third Party Advisory

http://www.openwall.com/lists/oss-security/2016/05/03/12

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://www.ubuntu.com/usn/USN-3455-1

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.