CyRC assigned the vulnerability a CVSS 4.0 score of 8.4 (high), driven primarily by its availability impact rather than data confidentiality or integrity loss. Testing was conducted using an ASUS RT-BE86U router running firmware versions 3.0.0.6.102_37812 and earlier, though the advisory cautioned that other devices using the same chipset software could be similarly affected.
Chipset-level bugs linger
Researchers said the vulnerability highlights why protocol-stack implementation remains open to serious flaws. “This attack is both easy to execute and highly disruptive, underscoring that even mature and widely deployed network technologies can still yield new and serious attack vectors,” said Saumitra Das, vice president of engineering at Qualys. “Because the attack can be launched by an unauthenticated client, encryption alone offers little protection.”
Das emphasized the role of fuzz testing in uncovering such issues. “Over the years, fuzzing has uncovered a wide range of vulnerabilities, including buffer overflows in drivers, denial-of-service conditions, remote code execution, and performance instability,” he said, adding that the complexity of the WiFi stack makes subtle flaws hard to eliminate.
