Talos Vulnerability Report


W1.fi hostapd deauthentication denial-of-service vulnerability

December 11, 2019
CVE Number



An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.

Tested Versions

hostapd version 2.6 on a Raspberry Pi.

Product URLs


CVSSv3 Score

7.4 - AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H


CWE-440 - Expected Behavior Violation


When hostapd receives an Authentication and an AssociationRequest packet, it begins the handshake process with the station. Upon failure to negotiate authentication, hostapd sends Deauthentication packets to the client with the same MAC address as the first two packets.

This behavior can be abused by an attacker to cause a valid station using 802.11w to be deauthenticated from the AP.


2019-07-01 - Initial contact 2019-07-02 - Vendor acknowledged
2019-07-08 - Vendor disclosure; reports issued
2019-07-28 - Vendor confirmed does not trigger above 2.6 version
2019-11-10 - Vendor confirmed fix applied to main repository
2019-12-11 - Public Release


Discovered by Mitchell Frank and Mark Leonard of Cisco