Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2020-26146

CVE-2020-26146: Samsung Galaxy I9305 Information Disclosure

CVE-2020-26146 is an information disclosure flaw in Samsung Galaxy I9305 firmware affecting WPA/WPA2/WPA3 implementations. Attackers can exploit fragment reassembly to exfiltrate data. This guide covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2020-26146 Overview

CVE-2020-26146 is a Wi-Fi protocol vulnerability affecting WPA, WPA2, and WPA3 implementations across multiple vendors. The flaw allows reassembly of encrypted fragments with non-consecutive packet numbers. An adversary on the adjacent network can abuse this behavior to exfiltrate selected fragments when fragmented frames are transmitted using WEP, CCMP, or GCMP data-confidentiality protocols. The issue was disclosed as part of the FragAttacks research by Mathy Vanhoef, affecting Samsung Galaxy S3, multiple Arista access points, and Siemens SCALANCE wireless products. The vulnerability is categorized as [CWE-20] Improper Input Validation.

Critical Impact

Attackers within Wi-Fi range can exfiltrate selected encrypted frame fragments, compromising the integrity of wireless data confidentiality protocols.

Affected Products

  • Samsung Galaxy S3 i9305 firmware 4.4.4
  • Arista C-series, O-series, and W-series access points (C-65, C-75, C-100, C-110, C-120, C-130, C-200, C-230, C-235, C-250, C-260, O-90, O-105, W-68, W-118)
  • Siemens SCALANCE W700 IEEE 802.11n, W1700 IEEE 802.11ac, and W1750D firmware

Discovery Timeline

  • 2021-05-11 - FragAttacks research published by Mathy Vanhoef, disclosing CVE-2020-26146
  • 2021-05-11 - CVE-2020-26146 published to the National Vulnerability Database
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2020-26146

Vulnerability Analysis

The vulnerability resides in how affected Wi-Fi stack implementations reassemble 802.11 frame fragments. The IEEE 802.11 standard permits fragmentation of frames to improve transmission reliability. Compliant implementations should only reassemble fragments that share consecutive packet numbers (PN) under CCMP or GCMP. Affected devices skip this verification and accept fragments with non-consecutive packet numbers during reassembly.

An attacker positioned within radio range can inject malicious fragments that the receiver combines with legitimate encrypted fragments. The result is selective exfiltration of plaintext data from fragmented frames protected by WEP, CCMP, or GCMP. WEP is structurally vulnerable to this class of attack because it lacks per-fragment integrity binding.

Root Cause

The root cause is improper input validation in the fragment reassembly logic of the wireless driver or firmware. The implementation does not enforce that all fragments belonging to the same frame carry consecutive packet numbers. This violates the design assumption that fragment ordering is cryptographically bound to the original frame.

Attack Vector

Exploitation requires the attacker to be on an adjacent network within Wi-Fi range of the victim device. The adversary must wait for the victim to transmit or receive a fragmented frame. The attacker then injects a crafted fragment with a non-consecutive packet number to trigger the reassembly flaw. The attack complexity is high because it depends on the victim sending fragmented frames, which is uncommon in many real-world deployments.

No public proof-of-concept exploit is associated with this specific CVE, though the broader FragAttacks toolkit released by the original researcher demonstrates the technique. See the FragAttacks Official Website and GitHub FragAttacks Summary for technical details.

Detection Methods for CVE-2020-26146

Indicators of Compromise

  • Wireless frames containing fragments with non-consecutive packet numbers reaching the same destination
  • Unexpected fragment reassembly events in wireless driver logs on affected endpoints
  • Anomalous 802.11 fragmentation patterns observed by wireless intrusion detection sensors

Detection Strategies

  • Deploy a Wireless Intrusion Detection System (WIDS) capable of inspecting 802.11 fragment sequence numbers and flagging non-consecutive PN reassembly
  • Capture and analyze 802.11 traffic with tools such as Wireshark to identify fragment injection patterns from unauthorized stations
  • Correlate client-side disconnects and reauthentication events with nearby unknown stations transmitting fragmented frames

Monitoring Recommendations

  • Enable detailed Wi-Fi driver logging on managed endpoints and forward logs to a centralized analytics platform
  • Monitor wireless controllers for firmware versions known to be vulnerable and track patch deployment status
  • Track rogue access point and rogue client detections in proximity to high-value endpoints

How to Mitigate CVE-2020-26146

Immediate Actions Required

  • Inventory all wireless endpoints and access points against the affected products list and prioritize patching
  • Disable WEP across the environment; WEP is vulnerable to this attack by design and offers no remediation path
  • Apply vendor firmware updates from Arista, Siemens, and Samsung where available

Patch Information

Vendors released firmware updates addressing the FragAttacks family of vulnerabilities. Refer to the Arista Security Advisory #12602, Siemens Security Advisory SSA-913875, and Siemens Security Advisory SSA-019200 for vendor-specific guidance. Samsung Galaxy S3 i9305 running Android 4.4.4 is end-of-life and will not receive a fix; affected handsets should be retired.

Workarounds

  • Enforce HTTPS, TLS, or VPN tunneling for all sensitive traffic to neutralize the impact of plaintext fragment exfiltration
  • Where firmware updates are unavailable, segment vulnerable wireless endpoints onto isolated SSIDs with restricted access to internal resources
  • Disable 802.11 frame fragmentation on access points where the configuration option exists, reducing the conditions required for exploitation
bash
# Configuration example - disable WEP and require WPA2/WPA3 on a hostapd-based AP
wpa=2
wpa_key_mgmt=WPA-PSK SAE
rsn_pairwise=CCMP
ieee80211w=2
# Reduce fragmentation surface where supported
fragm_threshold=2346

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.