CVE-2019-15126

LOW

Apple Ipados < 13.2 - TOCTOU Race Condition

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2019-15126. PoCs published by Maurizio S, hexway, akabe1.

AI-analyzed exploit summary This Python script exploits CVE-2019-15126 (KR00K) to decrypt WPA2 CCMP data by sending disassociation frames and decrypting packets using an all-zero temporary key. It leverages Scapy for packet manipulation and Cryptodome for AES decryption.

Description

An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.

Exploits (5)

exploitdb WORKING POC
by Maurizio S · pythonremotemultiple
https://www.exploit-db.com/exploits/48233

This Python script exploits CVE-2019-15126 (KR00K) to decrypt WPA2 CCMP data by sending disassociation frames and decrypting packets using an all-zero temporary key. It leverages Scapy for packet manipulation and Cryptodome for AES decryption.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WPA2 AES-CCMP (2.4GHz WLANs)
No auth needed
Prerequisites: Monitor mode enabled interface · Target MAC addresses (AP and client) · Proximity to target network
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 221 stars
by hexway · poc
https://github.com/hexway/r00kie-kr00kie

This repository contains a functional PoC exploit for CVE-2019-15126 (kr00k), which targets WiFi vulnerabilities by forcing disassociation and capturing encrypted packets for decryption. The exploit includes detailed usage instructions and demonstrates the attack in action.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WiFi devices with vulnerable Broadcom and Cypress chips
No auth needed
Prerequisites: WiFi card supporting monitor mode and frame injection · Kali Linux or similar environment · Target BSSID, channel, and client MAC address
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 64 stars
by akabe1 · poc
https://github.com/akabe1/kr00ker

This repository contains a functional Python script that exploits CVE-2019-15126 (KR00K vulnerability) to decrypt WPA2 CCMP data by leveraging a known all-zero temporary key and nonce. The script uses Scapy for packet manipulation and Cryptodome for AES decryption, targeting vulnerable Wi-Fi devices.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WPA2 CCMP (AES) Wi-Fi devices
No auth needed
Prerequisites: Wireless adapter in monitor mode · Python 3 with Scapy and Cryptodome libraries · Target MAC addresses (AP and client) · Wi-Fi channel information
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 12 stars
by 0x13enny · poc
https://github.com/0x13enny/kr00k

This repository contains a functional PoC for CVE-2019-15126 (kr00k), which exploits a vulnerability in Wi-Fi chips to decrypt WPA2-encrypted packets by forcing the use of an all-zero encryption key. The script actively disassociates a target device and captures/sniffs packets for decryption.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Wi-Fi chips (Broadcom and Cypress) with WPA2 encryption
No auth needed
Prerequisites: Wireless interface capable of monitor mode · Proximity to target Wi-Fi network · Aircrack-ng installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by jamieoglindsey0 · poc
https://gitlab.com/jamieoglindsey0/r00kie-kr00kie

This repository contains a functional PoC exploit for CVE-2019-15126 (kr00k), which targets WiFi devices by forcing disassociation and capturing encrypted packets that can be decrypted due to a vulnerability in the WPA2 protocol implementation. The exploit includes scripts for both live attacks and offline decryption of captured PCAP files.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WiFi devices with vulnerable WPA2 implementations (e.g., Broadcom and Cypress chips)
No auth needed
Prerequisites: WiFi card supporting monitor mode and frame injection (e.g., Atheros AR9280) · Kali Linux or similar environment · BSSID and MAC address of the target access point and client
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (13)

Core 13
Core References
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT210721
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT210722
Third Party Advisory, US Government Resource x_refsource_misc
https://us-cert.cisa.gov/ics/advisories/icsa-20-224-05
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT210788

Scores

CVSS v3 3.1
EPSS 0.0771
EPSS Percentile 93.8%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-367
Status published
Products (9)
apple/ipados < 13.2
apple/iphone_os < 13.2
apple/mac_os_x < 10.15.1
broadcom/bcm43012_firmware
broadcom/bcm43013_firmware
broadcom/bcm4356_firmware
broadcom/bcm43752_firmware
broadcom/bcm4375_firmware
broadcom/bcm4389_firmware
Published Feb 05, 2020
Tracked Since Feb 18, 2026