CVE-2022-37660

CVE-2022-37660 is a medium-severity vulnerability in W1.fi Hostapd with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-323.

Key facts

Description

In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.

Frequently asked questions

What is CVE-2022-37660?
In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.
How severe is CVE-2022-37660?
CVE-2022-37660 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2022-37660 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-37660?
CVE-2022-37660 affects W1.fi Hostapd. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-37660?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2022-37660 have an EU (EUVD) identifier?
Yes. CVE-2022-37660 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-40274.
When was CVE-2022-37660 published?
CVE-2022-37660 was published on 2025-02-11 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in W1.fi Hostapd

All CVEs affecting W1.fi Hostapd →

Other CWE-323 vulnerabilities

Browse all CWE-323 vulnerabilities →