WPA3_SAE_Overflow - C5Lab/projectZero GitHub Wiki

WPA3 SAE Overflow Protocol

Why do you need this

WPA3 protocol is resistant to classical deauthentication attacks, but its having its weakness - establishing connection requires heavy cryptographic calculation based on elliptical curves points. This attack sends large number of requests per seconds to the router to prevent any new connections.

How does it work

Flood a single AP with SAE Commit frames using random MAC addresses. Existing connections stay alive, but no new clients can join—the network goes dark.

How to deploy:

  1. scan_networks
  2. select_networks 1 (only one, for max impact)
  3. sae_overflow

Analyze results in Wireshark: look for “too many stations” error from the AP.