CVE-2010-1159

aircrack-ng < 1.1 - Heap-Based Buffer Overflow via EAPOL Packet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1159. PoCs published by Lukas Lueg.

AI-analyzed exploit summary This exploit generates a malformed IEEE802.11 packet with an oversized EAPOL length field to trigger a heap overflow in aircrack-ng tools (up to SVN r1675). The crafted packet can cause memory corruption, potentially leading to arbitrary code execution with root privileges.

Description

Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Lukas Lueg · pythondosmultiple
https://www.exploit-db.com/exploits/12217

This exploit generates a malformed IEEE802.11 packet with an oversized EAPOL length field to trigger a heap overflow in aircrack-ng tools (up to SVN r1675). The crafted packet can cause memory corruption, potentially leading to arbitrary code execution with root privileges.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: aircrack-ng (up to SVN r1675)
No auth needed
Prerequisites: Network access to target running aircrack-ng tools · Scapy >= 2.x · Pyrit >= 0.3.1-dev r238
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201310-06.xml
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39150
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/55053
Various Sources x_refsource_confirm
http://svn.aircrack-ng.org/trunk/ChangeLog

Scores

EPSS 0.0726
EPSS Percentile 93.6%

Details

CWE
CWE-119
Status published
Products (22)
aircrack-ng/aircrack-ng 0.1
aircrack-ng/aircrack-ng 0.2
aircrack-ng/aircrack-ng 0.2.1
aircrack-ng/aircrack-ng 0.3
aircrack-ng/aircrack-ng 0.4
aircrack-ng/aircrack-ng 0.4.1
aircrack-ng/aircrack-ng 0.4.2
aircrack-ng/aircrack-ng 0.4.3
aircrack-ng/aircrack-ng 0.4.4
aircrack-ng/aircrack-ng 0.5
... and 12 more
Published Oct 28, 2013
Tracked Since Feb 18, 2026