hostapd: fix security advisory 2026-1
Cherry pick the patches recommended in the hostapd security advisory
2026-1:
https://w1.fi/security/2026-1/missing-ml-parsing-validation.txt
Vulnerability
Vulnerabilities in parsing and use of received multi-link (MLO/EHT/IEEE
802.11be/Wi-Fi 7) information has been identified in hostapd and
wpa_supplicant. These issues show up in various cases where frames
including information on affiliated links are parsed and processed in
both AP and STA modes. The issues can result in process termination due
to buffer read overflow checks and memory corruption.
The issues for AP mode (hostapd or wpa_supplicant) can result in
denial-of-service attacks due to process termination and small memory
corruption that could theoretically cause other issues, but it does not
seem likely that those could be exploiting in practice. Affected areas
can be reached by sending invalid Management frames without needing
authentication or user action on the target device.
CVE-2026-58374
Link: https://github.com/openwrt/openwrt/pull/24043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>