The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.

Related CVEs

CVE-2019-13377

Key Information

GHSA ID

GHSA-m5xx-ghwp-mgmq

Published

May 24, 2022 4:53 PM

Last Modified

April 4, 2024 1:40 AM

CVSS Score

5.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.