The vulnerability in hostapd (CVE-2026-58374) arises from a missing bounds check in the function hostapd_process_ml_assoc_req() located in src/ap/ieee802_11_eht.c. Specifically, the received link_id field can be parsed as value 15, but the links[] array only supports indices 0 through 14, causing an out-of-bounds write and memory corruption during processing of a Multi-Link Operation association request. This occurs before the 4-way handshake and can be triggered by an unauthenticated attacker within wireless range by sending a crafted management frame with malformed Multi-Link Element or Per-STA Profile subelements. The confirmed impact is denial of service via hostapd process termination. This affects hostapd versions before 2.12 when built with CONFIG_IEEE80211BE enabled. The vulnerability is fixed in hostapd 2.12 and the upstream 2026-1 fixes.

An unauthenticated attacker within wireless range can cause denial of service by triggering a crash of the hostapd process through crafted management frames exploiting an out-of-bounds write. There is no impact on confidentiality or integrity reported. No authentication or user interaction is required to exploit this vulnerability.

A fix is available in hostapd version 2.12 and the upstream 2026-1 fixes. Users should upgrade to hostapd 2.12 or later to remediate this vulnerability. No other mitigation or temporary workaround is indicated by the vendor advisory.