20 matches found
CVE-2026-53182
A flaw was found in the Linux kernel's nl80211 Wi-Fi subsystem. The nl80211parsernrelems function, responsible for parsing EMA RNR Enhanced Multiple Access Reduced Neighbor Report lists, does not properly handle an excessive number of nested NL80211ATTREMARNRELEMS inputs. This improper input...
📄 Broadcom Wi-Fi Firmware Out-Of-Bounds Write
Broadcom Wi-Fi firmware remote code execution exploit via an out-of-bounds write in the RRM Neighbor Report Handler. ============================================================================================================================================= | Title : Broadcom 802.11k Remote Code...
CVE-2025-20731
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege when OceReducedNeighborReport is disabled. User interaction is not needed for exploitation...
CVE-2025-20732
In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege when OceReducedNeighborReport is disabled. User interaction is not needed for exploitation...
CVE-2025-20732
The CVE-2025-20732 entry describes a local privilege-escalation flaw in the wlan AP driver (Linksys Wireless Network Controller Driver) caused by an incorrect bounds check that enables an out-of-bounds write. Impact is local, with no user interaction required, and exploitation is not detailed in ...
PT-2025-44970
Name of the Vulnerable Software and Affected Versions Cisco Wireless Lan AP Driver affected versions not specified Description The wlan AP driver contains a flaw where an incorrect bounds check can lead to an out-of-bounds write. Successful exploitation of this issue could allow a malicious actor...
CVE-2024-33015
Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report...
CVE-2024-33015
Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report...
CVE-2024-33015 Buffer Over-read in WLAN Host
Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report...
CVE-2024-33015 Buffer Over-read in WLAN Host
Transient DOS while parsing SCAN RNR IE when bytes received from AP is such that the size of the last param of IE is less than neighbor report...
CVE-2024-33015
CVE-2024-33015 describes a transient DoS in the WLAN host stack during parsing of a SCAN RNR Information Element. Root cause: when bytes from the AP cause the size of the last IE parameter to be smaller than the neighboring report, a DoS can occur. Documented references indicate this affects Qual...
PT-2024-25061 · Qualcomm · Snapdragon +181
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue is related to a Transient Denial of Service DOS that occurs while parsing SCAN RNR IE. This happens when the size of the last parameter of IE ...
SUSE CVE-2017-11120
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204...
CVE-2019-2053
In wnmparseneighborreportelem of wnmsta.c, there is a possible out-of-bounds read due to missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0...
UBUNTU-CVE-2019-2053
In wnmparseneighborreportelem of wnmsta.c, there is a possible out-of-bounds read due to missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0...
CVE-2017-11120
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204...
Buffer overflow
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204...
iPhone 7 and Samsung Galaxy S7 Wi-Fi Chip Hack Vulnerability
Exploit for hardware platform in category remote exploits Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to t...
CVE-2017-11120
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204...
Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1289 The exploit gains code execution on the Wi-Fi firmware on the iPhone 7. The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 14C92, but should work on all versions of iOS up to 10.3.3 included. However...