CVE-2019-9499

Name: CVE-2019-9499
Creator: NVD / NIST
Published: 2019-04-17T14:29:04.057+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10EPSS 2.39%

Last modified Jun 17, 2026

CVE-2019-9499 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. EPSS estimates a 2.39% chance of exploitation in the next 30 days.

Description

The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.39%

81.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
W1.Fi	Hostapd	<= 2.4
W1.Fi	Hostapd	>= 2.5, <= 2.7
W1.Fi	Wpa Supplicant	<= 2.4
W1.Fi	Wpa Supplicant	>= 2.5, <= 2.7
Fedoraproject	Fedora	28
Fedoraproject	Fedora	29
Fedoraproject	Fedora	30
Opensuse	Backports Sle	15.0
Opensuse	Leap	15.1
Debian	Debian Linux	8.0
Synology	Radius Server	3.0
Synology	Router Manager	1.2
Freebsd	Freebsd	>= 11.0, <= 11.1
Freebsd	Freebsd	11.2
Freebsd	Freebsd	12.0

References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00030.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
https://seclists.org/bugtraq/2019/May/40Mailing List, Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.ascThird Party Advisory
https://w1.fi/security/2019-4/Patch, Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_19_16Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00021.htmlMailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00030.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/56OBBOJJSKRTDGEXZOVFSTP4HDSDBLAE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVMJOFEYBGXZLFF5IOLW67SSOPKFEJP3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TDOZGR3T7FVO5JSZWK2QPR7AOFIEJTIZ/
https://seclists.org/bugtraq/2019/May/40Mailing List, Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:03.wpa.ascThird Party Advisory
https://w1.fi/security/2019-4/Patch, Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_19_16Third Party Advisory

Timeline

Published: Apr 17, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-9499?

How severe is CVE-2019-9499?

CVE-2019-9499 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 2.39% probability of exploitation in the next 30 days.

How do I fix CVE-2019-9499?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-9499?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST