Unexpected SAE commit message contents terminating wpa_supplicant Published: July 9, 2026 Latest version available from: https://w1.fi/security/2026-3/ Vulnerability Parsing of SAE commit messages for H2E (Hash-to-Element) cases did not address a corner case where an unexpected contents of the message ended up terminating the wpa_supplicant process due to dereferencing a NULL pointer. A misbehaving access point could use this for denial of service against a station using wpa_supplicant with a network configuration that enables WPA3-Personal (SAE) with H2E. This might also impact some cases using PASN with SAE. Vulnerable versions/configurations wpa_supplicant version 2.10 and 2.11 with CONFIG_SAE=y. Possible mitigation steps - Update to wpa_supplicant v2.12 or newer once available - Merge the following commit to an earlier wpa_supplicant version and rebuild: https://git.w1.fi/cgit/hostap/commit/?id=f12d55ff652ab2e367425c1392510d10d8b9f638 SAE: Fix crash due to NULL pointer dereference in H2E parsing