CVE-2025-24912

Name	CVE-2025-24912
Description	hostapd fails to process crafted RADIUS packets properly. When hostapd authenticates wi-fi devices with RADIUS authentication, an attacker in the position between the hostapd and the RADIUS server may inject crafted RADIUS packets and force RADIUS authentications to fail.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
wpa (PTS)	bullseye	2:2.9.0-21+deb11u2	fixed
	bullseye (security)	2:2.9.0-21+deb11u3	fixed
	bookworm	2:2.10-12+deb12u3	fixed
	bookworm (security)	2:2.10-12+deb12u2	fixed
	forky, sid, trixie	2:2.10-24	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
wpa	source	(unstable)	(not affected)

Notes

- wpa <not-affected> (Vulnerable code not present)
Introduced by: https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44
Fixed by: https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109