CVE-2006-6332

MadWifi - Stack-Based Buffer Overflow in IEEE80211 Wireless Component

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-6332. PoCs published by Metasploit, Massimiliano Oldani, Julien Tinnes.

AI-analyzed exploit summary This is a Metasploit module exploiting a remote kernel-mode stack-based buffer overflow in the Madwifi driver (CVE-2006-6332). It crafts malicious beacon frames to trigger the vulnerability in the `giwscan_cb` function, leading to arbitrary code execution on vulnerable Linux systems.

Description

Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified vectors, related to the encode_ie and giwscan_cb functions.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/16835

This is a Metasploit module exploiting a remote kernel-mode stack-based buffer overflow in the Madwifi driver (CVE-2006-6332). It crafts malicious beacon frames to trigger the vulnerability in the `giwscan_cb` function, leading to arbitrary code execution on vulnerable Linux systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Madwifi driver (0.9.2 and madwifi-ng drivers since r1504)
No auth needed
Prerequisites: Lorcon2 library · Supported wireless card · Linux platform · Target system running vulnerable Madwifi driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Massimiliano Oldani · cremotelinux
https://www.exploit-db.com/exploits/3389

This exploit targets a kernel buffer overflow in madwifi's WPA/RSN IE handling (CVE-2006-6332). It crafts a malicious 802.11 beacon frame with an oversized WPA Information Element to trigger the vulnerability, achieving remote code execution in kernel context via a connect-back shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: madwifi 0.9.2 (and likely other versions)
No auth needed
Prerequisites: Attacker must be within wireless range · Target must process the malicious beacon frame (e.g., during scanning) · Kernel must be compiled with vulnerable madwifi version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Julien Tinnes · rubyremotelinux
https://www.exploit-db.com/exploits/10024

This exploit targets a remote kernel-mode stack-based buffer overflow in the Madwifi driver (CVE-2006-6332) by sending malicious beacon frames. It achieves reliable remote code execution on vulnerable Linux systems with Madwifi versions prior to 0.9.2.1.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Madwifi driver < 0.9.2.1
No auth needed
Prerequisites: Linux system with vulnerable Madwifi driver · Supported wireless card for Lorcon2 · Ruby and Metasploit framework
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Patch x_refsource_misc
http://madwifi.org/changeset/1842
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_74_madwifi.html
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21486
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_28_sr.html
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200612-09.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23335
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23277
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/925529
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4901
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-404-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30800
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23694

Scores

EPSS 0.1968
EPSS Percentile 97.1%

Details

Status published
Products (1)
madwifi/madwifi 0.9.2.1
Published Dec 10, 2006
Tracked Since Feb 18, 2026