CVE-2020-26144: 
vulnerability analysis and mitigation

CVE-2020-26144 was discovered on Samsung Galaxy S3 i9305 4.4.4 devices, where the WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. This vulnerability was disclosed on May 11, 2021, and has a CVSS v3.1 base score of 6.5 (Medium) (NVD).

The vulnerability is part of the FragAttacks (fragmentation and aggregation attacks) collection affecting Wi-Fi devices. The issue allows plaintext A-MSDU frames to be accepted on an encrypted network if the frame begins with an EAPOL LLC/Snap header. The vulnerability exists in the implementation of frame aggregation and fragmentation features of Wi-Fi protocols (FragAttacks).

An adversary can abuse this vulnerability to inject arbitrary network packets independent of the network configuration. This allows attackers to potentially bypass network security controls and inject malicious traffic into protected Wi-Fi networks (Arista Advisory).

To mitigate the vulnerability, devices should be updated with security patches provided by vendors. As general security practices, users should ensure websites use HTTPS, keep devices updated, and follow vendor-specific security recommendations. For unpatched devices, network administrators can consider disabling fragmentation features where possible (FragAttacks).