Wpa supplicant

This hub aggregates every CVE we track for Wpa supplicant, a product in the networking infrastructure space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Wpa supplicant.

• CVE-2022-37660In hostapd 2.10 and earlier, the PKEX code remains active even after a successful PKEX association. An attacker that successfully bootstrapped public keys with another entity using PKEX in the past...6.5Feb 11, 2025
• CVE-2024-5290An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplic...8.8Aug 7, 2024
• CVE-2023-52160The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during...6.5Feb 22, 2024
• CVE-2022-23303The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an i...9.8Jan 17, 2022
• CVE-2022-23304The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of cache access patterns. NOTE: this issue exists because of ...9.8Jan 17, 2022
• CVE-2021-30004In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.5.3Apr 2, 2021
• CVE-2021-27803A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (pot...7.5Feb 26, 2021
• CVE-2019-10064hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of determinist...7.5Feb 28, 2020
• CVE-2019-5061An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process h...6.5Dec 12, 2019
• CVE-2019-16275hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication of disconnection in certain situations because source address validation is mishandled. This is a denial of service ...6.5Sep 12, 2019
• CVE-2019-11555The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_supplicant (EAP peer) before 2.8 does not validate fragmentation reassembly state properly for a case where an unexpected fragm...5.9Apr 26, 2019
• CVE-2019-9494The implementations of SAE in hostapd and wpa_supplicant are vulnerable to side-channel attacks5.9Apr 17, 2019
• CVE-2019-9497The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit8.1Apr 17, 2019
• CVE-2019-9498The implementations of EAP-PWD in hostapd EAP Server do not validate the scalar and element values in EAP-pwd-Commit8.1Apr 17, 2019
• CVE-2019-9499The implementations of EAP-PWD in wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit8.1Apr 17, 2019