Mathy Vanhoef

16 exploits Active since Nov 2013
CVE-2025-27558 WRITEUP CRITICAL WRITEUP
IEEE P802.11-REVme D1.1-D7.0 - Frame Injection via Non-SSP A-MSDU Handling
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.
CVSS 9.1
CVE-2019-13456 WRITEUP MEDIUM WRITEUP
FreeRADIUS 3.0.0-3.0.19 - Password Information Leak via EAP-pwd Handshake
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.
CVSS 6.5
CVE-2020-24586 WRITEUP LOW WRITEUP
IEEE 802.11 - Arbitrary Network Packet Injection and Data Exfiltration via Fragment Cache Attack
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
CVSS 3.5
CVE-2020-24587 WRITEUP LOW WRITEUP
IEEE 802.11 - Use of a Broken or Risky Cryptographic Algorithm
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
CVSS 2.6
CVE-2020-24588 WRITEUP LOW WRITEUP
IEEE 802.11 - Unauthenticated Packet Injection via A-MSDU Flag Manipulation
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
CVSS 3.5
CVE-2020-26139 WRITEUP MEDIUM WRITEUP
NetBSD 7.1 - Unauthenticated EAPOL Frame Forwarding
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.
CVSS 5.3
CVE-2020-26140 WRITEUP MEDIUM WRITEUP
ALFA AWUS036H Firmware - Use of a Broken or Risky Cryptographic Algorithm
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVSS 6.5
CVE-2020-26141 WRITEUP MEDIUM WRITEUP
ALFA Windows 10 driver <6.1316.1209 - Info Disclosure
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
CVSS 6.5
CVE-2020-26142 WRITEUP MEDIUM WRITEUP
OpenBSD 6.6 - Network Packet Injection via Fragmented Frame Handling
An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
CVSS 5.3
CVE-2020-26143 WRITEUP MEDIUM WRITEUP
ALFA AWUS036ACH Windows 10 Driver 1030.36.604 - Arbitrary Frame Injection via Fragmented Plaintext Frames
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVSS 6.5
CVE-2020-26144 WRITEUP MEDIUM WRITEUP
Samsung Galaxy S3 i9305 Firmware - Unauthenticated Network Packet Injection via Plaintext A-MSDU Frame Acceptance
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVSS 6.5
CVE-2020-26145 WRITEUP MEDIUM WRITEUP
Samsung Galaxy S3 i9305 Firmware - Arbitrary Network Packet Injection via Fragment Acceptance
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVSS 6.5
CVE-2020-26146 WRITEUP MEDIUM WRITEUP
Samsung Galaxy S3 i9305 Firmware - Fragment Reassembly Data Exfiltration via Non-Consecutive Packet Numbers
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
CVSS 5.3
CVE-2020-26147 WRITEUP MEDIUM WRITEUP
Linux kernel 5.8.9 - Info Disclosure
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
CVSS 5.4
CVE-2021-38206 WRITEUP MEDIUM WRITEUP
Linux Kernel < 5.12.13 - Denial of Service via 802.11a Frame Injection in mac80211 Radiotap Parser
The mac80211 subsystem in the Linux kernel before 5.12.13, when a device supporting only 5 GHz is used, allows attackers to cause a denial of service (NULL pointer dereference in the radiotap parser) by injecting a frame with 802.11a rates.
CVSS 5.5
CVE-2013-4579 EXPLOITDB python WORKING POC
Linux kernel < 3.12 - Info Disclosure
The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations.