Description

In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.

INFO

Published Date :

2025-02-11T00:00:00.000Z

Last Modified :

2025-11-03T19:27:21.731Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2022-37660 vulnerability.

Vendors Products
Hostapd
  • Hostapd
W1.fi
  • Hostapd
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2022-37660.

URL Resource
https://link.springer.com/article/10.1007/s10207-025-00988-3 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/04/msg00019.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2022-37660 cve-icon
https://w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2022-37660 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact