CVE-2020-26146 Overview
CVE-2020-26146 is a Wi-Fi protocol vulnerability affecting WPA, WPA2, and WPA3 implementations across multiple vendors. The flaw allows reassembly of encrypted fragments with non-consecutive packet numbers. An adversary on the adjacent network can abuse this behavior to exfiltrate selected fragments when fragmented frames are transmitted using WEP, CCMP, or GCMP data-confidentiality protocols. The issue was disclosed as part of the FragAttacks research by Mathy Vanhoef, affecting Samsung Galaxy S3, multiple Arista access points, and Siemens SCALANCE wireless products. The vulnerability is categorized as [CWE-20] Improper Input Validation.
Critical Impact
Attackers within Wi-Fi range can exfiltrate selected encrypted frame fragments, compromising the integrity of wireless data confidentiality protocols.
Affected Products
- Samsung Galaxy S3 i9305 firmware 4.4.4
- Arista C-series, O-series, and W-series access points (C-65, C-75, C-100, C-110, C-120, C-130, C-200, C-230, C-235, C-250, C-260, O-90, O-105, W-68, W-118)
- Siemens SCALANCE W700 IEEE 802.11n, W1700 IEEE 802.11ac, and W1750D firmware
Discovery Timeline
- 2021-05-11 - FragAttacks research published by Mathy Vanhoef, disclosing CVE-2020-26146
- 2021-05-11 - CVE-2020-26146 published to the National Vulnerability Database
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2020-26146
Vulnerability Analysis
The vulnerability resides in how affected Wi-Fi stack implementations reassemble 802.11 frame fragments. The IEEE 802.11 standard permits fragmentation of frames to improve transmission reliability. Compliant implementations should only reassemble fragments that share consecutive packet numbers (PN) under CCMP or GCMP. Affected devices skip this verification and accept fragments with non-consecutive packet numbers during reassembly.
An attacker positioned within radio range can inject malicious fragments that the receiver combines with legitimate encrypted fragments. The result is selective exfiltration of plaintext data from fragmented frames protected by WEP, CCMP, or GCMP. WEP is structurally vulnerable to this class of attack because it lacks per-fragment integrity binding.
Root Cause
The root cause is improper input validation in the fragment reassembly logic of the wireless driver or firmware. The implementation does not enforce that all fragments belonging to the same frame carry consecutive packet numbers. This violates the design assumption that fragment ordering is cryptographically bound to the original frame.
Attack Vector
Exploitation requires the attacker to be on an adjacent network within Wi-Fi range of the victim device. The adversary must wait for the victim to transmit or receive a fragmented frame. The attacker then injects a crafted fragment with a non-consecutive packet number to trigger the reassembly flaw. The attack complexity is high because it depends on the victim sending fragmented frames, which is uncommon in many real-world deployments.
No public proof-of-concept exploit is associated with this specific CVE, though the broader FragAttacks toolkit released by the original researcher demonstrates the technique. See the FragAttacks Official Website and GitHub FragAttacks Summary for technical details.
Detection Methods for CVE-2020-26146
Indicators of Compromise
- Wireless frames containing fragments with non-consecutive packet numbers reaching the same destination
- Unexpected fragment reassembly events in wireless driver logs on affected endpoints
- Anomalous 802.11 fragmentation patterns observed by wireless intrusion detection sensors
Detection Strategies
- Deploy a Wireless Intrusion Detection System (WIDS) capable of inspecting 802.11 fragment sequence numbers and flagging non-consecutive PN reassembly
- Capture and analyze 802.11 traffic with tools such as Wireshark to identify fragment injection patterns from unauthorized stations
- Correlate client-side disconnects and reauthentication events with nearby unknown stations transmitting fragmented frames
Monitoring Recommendations
- Enable detailed Wi-Fi driver logging on managed endpoints and forward logs to a centralized analytics platform
- Monitor wireless controllers for firmware versions known to be vulnerable and track patch deployment status
- Track rogue access point and rogue client detections in proximity to high-value endpoints
How to Mitigate CVE-2020-26146
Immediate Actions Required
- Inventory all wireless endpoints and access points against the affected products list and prioritize patching
- Disable WEP across the environment; WEP is vulnerable to this attack by design and offers no remediation path
- Apply vendor firmware updates from Arista, Siemens, and Samsung where available
Patch Information
Vendors released firmware updates addressing the FragAttacks family of vulnerabilities. Refer to the Arista Security Advisory #12602, Siemens Security Advisory SSA-913875, and Siemens Security Advisory SSA-019200 for vendor-specific guidance. Samsung Galaxy S3 i9305 running Android 4.4.4 is end-of-life and will not receive a fix; affected handsets should be retired.
Workarounds
- Enforce HTTPS, TLS, or VPN tunneling for all sensitive traffic to neutralize the impact of plaintext fragment exfiltration
- Where firmware updates are unavailable, segment vulnerable wireless endpoints onto isolated SSIDs with restricted access to internal resources
- Disable 802.11 frame fragmentation on access points where the configuration option exists, reducing the conditions required for exploitation
# Configuration example - disable WEP and require WPA2/WPA3 on a hostapd-based AP
wpa=2
wpa_key_mgmt=WPA-PSK SAE
rsn_pairwise=CCMP
ieee80211w=2
# Reduce fragmentation surface where supported
fragm_threshold=2346
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
