An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. An attacker able broadcast a carefully crafted beacon or probing response frame may be able to execute arbitrary code within the context of the kernel on any system scanning for wireless networks. That’s cool. I’m glad I heard about this prior to Black Hat Federal next week. I don’t consider automatic network connectivity to be a vulnerability, only a bad design choice.”]
Source: https://taosecurity.blogspot.com/2006/01/real-wireless-vulnerability-at.html