The EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.

The issue was found by Mohamed Sabt and his team at the University of Rennes.

Similar issues were found and fixed in hostapd and iwd.

The issue was fixed in commit 9e5e8f2f.