Fixed
Created: Apr 27, 2025
Updated: Sep 1, 2025
Resolved Date: Jul 23, 2025
Found In Version: 10.25.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Userspace
In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past, will be able to subvert a future bootstrapping by passively observing public keys, re-using the encrypting element Qi and subtracting it from the captured message M (X = M - Qi). This will result in the public ephemeral key X; the only element required to subvert the PKEX association.
CREATE(Triage):(User=admin) CVE-2022-37660 (https://nvd.nist.gov/vuln/detail/CVE-2022-37660)
