CVE-2023-52424

Publication date 17 May 2024

Last updated 7 July 2026


Ubuntu priority

Cvss 3 Severity Score

7.4 · High

Score breakdown

Description

The IEEE 802.11 standard sometimes enables an adversary to trick a victim into connecting to an unintended or untrusted network with Home WEP, Home WPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSID Confusion" issue. This occurs because the SSID is not always used to derive the pairwise master key or session keys, and because there is not a protected exchange of an SSID during a 4-way handshake.

Read the notes from the security team

Status

Package Ubuntu Release Status
wpa 26.04 LTS resolute
Not affected
25.10 questing
Not affected
25.04 plucky Ignored end of life, was deferred
24.10 oracular Ignored end of life, was deferred
24.04 LTS noble
Not affected
23.10 mantic Ignored end of life, was deferred [2024-11-13]
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


alexmurray

Since this is a vulnerability in the 802.11 standard it is assumed that the wpa package in Ubuntu (which is an implementation of this standard) is affected but at this time 2024-11-13 there does not appear to be an official update available from the project which resolves this vulnerability.


mdeslaur

As of 2026-07-07, there is no fix for wpa as this is a flaw in the protocol. Marking as not-affected.

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.4 · High

Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H


Access our resources on patching vulnerabilities