Schwerer Broadcom‑WLAN-Fehler entdeckt

Discovered during fuzz testing, the bug affects Broadcom chipset software and requires a manual router reboot after each attack.

A high-severity flaw in Broadcom WiFi chipset software can allow an attacker within radio range to completely knock wireless networks offline by sending a single malicious frame, forcing routers to be manually rebooted before connectivity can be restored.

The flaw, uncovered by the Cybersecurity Research Center (CyRC) at Black Duck during fuzz testing of 802.11 protocol implementations, affects 5GHz wireless networks and causes all connected clients, including guest networks, to be disconnected simultaneously.

“Implementation-level flaws in protocols, such as 802.11, are often more difficult to detect than cryptographic weaknesses,” said Ben Ronallo, principal cybersecurity engineer at Black Duck. “Remediation of vulnerabilities in hardware/firmware is always slower due to the downstream effects needing to be fully tested. In the software world, the commonly cited deadline is 90 days, but for hardware or firmware, it’s closer to 180+ days.”

The issue surfaced while researchers were testing ASUS routers for protocol robustness, but further investigation traced the root cause to software used in Broadcom chipsets rather than the router firmware itself. Broadcom has since issued a patch to its customers, and ASUS has released fixed firmware for affected devices, though a complete public list of impacted products remains unavailable.

Broadcom did not immediately respond to CSO’s request for comments.

A low-effort denial-of-service attack

According to the advisory shared with CSO ahead of its publication on Tuesday, exploitation requires no authentication and works regardless of the configured wireless security settings. An attacker only needs to be within the range to transmit a specially crafted 802.11 frame, immediately rendering the access point unresponsive to all clients on the 5 GHz band.

Devices cannot reconnect until the router is manually restarted, at which point the attack can be repeated indefinitely.

James Maude, field CTO at BeyondTrust, said the findings echo early WiFi attacks that relied on de-authentication and denial-of-service (DoS) tactics. “Given the huge dependence on connectivity for personal devices and ever-increasing numbers of IoT and smart devices, the impacts could be significant,” he said. Maude warned that repeated outages could also enable “evil twin” scenarios, where a rogue access point poses as the legitimate network and tricks users into entering credentials through captive portals.

The good news, Maude added, is that the flaw appears limited to 5GHz networks, meaning many environments may fall back to 2.4 GHz connectivity automatically, reducing immediate exposure.

CyRC assigned the vulnerability a CVSS 4.0 score of 8.4 (high), driven primarily by its availability impact rather than data confidentiality or integrity loss. Testing was conducted using an ASUS RT-BE86U router running firmware versions 3.0.0.6.102_37812 and earlier, though the advisory cautioned that other devices using the same chipset software could be similarly affected.

Chipset-level bugs linger

Researchers said the vulnerability highlights why protocol-stack implementation remains open to serious flaws. “This attack is both easy to execute and highly disruptive, underscoring that even mature and widely deployed network technologies can still yield new and serious attack vectors,” said Saumitra Das, vice president of engineering at Qualys. “Because the attack can be launched by an unauthenticated client, encryption alone offers little protection.”

Das emphasized the role of fuzz testing in uncovering such issues. “Over the years, fuzzing has uncovered a wide range of vulnerabilities, including buffer overflows in drivers, denial-of-service conditions, remote code execution, and performance instability,” he said, adding that the complexity of the WiFi stack makes subtle flaws hard to eliminate.