The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache. Weak passwords may be cracked. Versions of hostapd/wpa_supplicant 2.7 and newer, are not vulnerable to the timing attack described in CVE-2019-9494. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| w1.fi | hostapd | 2.7 | - |
| w1.fi | wpa_supplicant | 2.7 |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
25
Affected Products
20
References
w1.fi / hostapd +24 more
| fedoraproject | fedora | - | - |
| fedoraproject | fedora | - | - |
| fedoraproject | fedora | - | - |
| opensuse | backports_sle | - | - |
| opensuse | backports_sle | - | - |
| opensuse | leap | - | - |
| synology | radius_server | - | - |
| synology | router_manager | 1.2.3-8017 | - |
| debian | debian_linux | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
| freebsd | freebsd | - | - |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability
Impact