Missing network context validation for PMKSA caching Published: July 9, 2026 Latest version available from: https://w1.fi/security/2026-2/ Vulnerability wpa_supplicant supports driver-based selection of PMKSA cache entries with drivers that select the target access point internally. However, that code path for selecting a PMKSA entry is executed for all cases and it does not enforce matching rules consistently to the case where wpa_supplicant selects the PMKSA entry internally. In particular, this missed enforcement of network context match (i.e., the PMKSA entry to be created using the same network configuration block) and AKMP (i.e., use of the same key management option). Missing checks allowed a misbehaving access point to trick wpa_supplicant to use an unrelated PMKSA entry when establishing keys for an association. While the targeted PMKSA entry itself needs to exist, i.e., an attacker would need to know a valid credential for any configured network, this could allow bypassing expected authentication steps for a network. This issue is not applicable against cases where WPA3-Personal (SAE) is used in the target network. However, PMKSA entries established using SAE can be used in an attack against networks using other options (e.g., WPA2-Personal (PSK) or WPA2/WPA3-Enterprise (EAP). Vulnerable versions/configurations All versions of wpa_supplicant. Acknowledgments Thanks to discovering and reporting the issues to: 1. Anand Agrawal, Research Fellow, Singapore University of Technology and Design 2. Prof. Sudipta Chattopadhyay, Associate Professor, University of Missouri--Kansas City (UMKC). 3. Prof. Jianying Zhou, Professor, Singapore University of Technology and Design. Possible mitigation steps - Update to wpa_supplicant v2.12 or newer once available - Merge the following commit to an earlier wpa_supplicant version and rebuild: https://git.w1.fi/cgit/hostap/commit/?id=de5e73a03c34d83568afb3183b2b28c8d7641a30 Require network_ctx and AKMP match for accepting PMKSA entry