Published: 8 August 2019
The implementations of SAE and EAP-pwd in hostapd and wpa_supplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differences and cache access patterns when Brainpool curves are used. An attacker may be able to gain leaked information from a side-channel attack that can be used for full password recovery.
CVSS 3 base score: 5.9
from Debian "bug was added in v2.5"
SAE is not enabled in Ubuntu builds, some of the patches aren't required.