A newly disclosed attack against Wi-Fi networks targets a fundamental weakness in the IEEE 802.11 standard itself — not a specific vendor’s implementation, not a misconfigured access point, but the protocol’s core frame aggregation mechanism. Bruce Schneier flagged the research on his blog in March 2026, and the implications for enterprise wireless security are concrete and immediate.
The attack works by exploiting how Wi-Fi devices handle aggregated MAC Protocol Data Units (A-MPDUs). Frame aggregation was introduced in 802.11n to improve throughput by bundling multiple frames into a single transmission. It’s been a standard feature in every Wi-Fi generation since. The problem is that the aggregation flag — a single bit in the frame header — isn’t authenticated. An attacker who can inject or modify frames over the air can flip this bit, causing the receiving device to misparse a single frame as multiple frames, or vice versa. The result: crafted packets get processed as legitimate traffic.
This isn’t theoretical.
The underlying vulnerability class was first identified by researchers Mathy Vanhoef and others, who have a track record of finding protocol-level Wi-Fi flaws including KRACK and FragAttacks. The latest iteration demonstrates that an attacker within radio range can inject malicious frames into an existing Wi-Fi session without knowing the encryption key. The attack bypasses WPA3. It bypasses WPA2. The encryption doesn’t matter because the flaw sits below the layer where cryptographic protections are applied to the aggregation flag.
So what can an attacker actually do? The demonstrated attack scenarios include redirecting a victim’s DNS queries to an attacker-controlled server, which enables phishing, credential theft, and man-in-the-middle interception of unencrypted traffic. In enterprise environments where internal services still rely on HTTP or legacy protocols, the exposure is significant. The attacker doesn’t need to break any encryption. They just need proximity.
Proximity matters here. This is a radio-range attack, which limits its scalability but not its danger. Corporate campuses, conference venues, airports, hotels — anywhere high-value targets connect to Wi-Fi becomes a viable attack surface. And unlike remote exploits that can be patched with a firewall rule, this one requires physical presence but rewards it with access to traffic that most defenders assume is protected by WPA3’s encryption.
The IEEE’s response has been slow. The aggregation bit authentication problem has been known in academic circles since at least 2021, when Vanhoef’s FragAttacks research first highlighted related issues. The IEEE acknowledged the class of vulnerabilities but hasn’t mandated a fix in the standard. Vendor patches have been inconsistent. Some chipset manufacturers issued firmware updates addressing specific attack variants. Others haven’t. The fragmented nature of Wi-Fi hardware — spanning dozens of chipset vendors, hundreds of device manufacturers, and billions of deployed devices — makes comprehensive remediation nearly impossible in any reasonable timeframe.
Here’s the uncomfortable truth: this vulnerability will persist for years.
Enterprise security teams can’t wait for the IEEE to fix the standard. Practical mitigations exist but require deliberate action. First, enforce HTTPS everywhere on internal networks. DNS-over-HTTPS or DNS-over-TLS should be mandatory, not optional, eliminating the DNS redirection vector. Second, deploy wireless intrusion detection systems that monitor for frame injection anomalies. Third, segment Wi-Fi networks aggressively — assume the wireless link is compromised and design network architecture accordingly. Zero-trust principles aren’t just a buzzword here; they’re the correct engineering response to a transport layer you can’t fully trust.
Some vendors have moved faster than others. Qualcomm and Intel both issued chipset-level mitigations for earlier FragAttacks variants, and security researchers have noted that devices running updated firmware from these manufacturers show improved resistance to the latest techniques. But “improved resistance” isn’t elimination. The protocol-level flaw remains.
The Wi-Fi Alliance, which certifies devices for WPA3 compliance, has not added aggregation flag authentication to its certification requirements. Until it does, even brand-new devices shipping with WPA3 certification carry this vulnerability. Schneier’s assessment on his blog was characteristically blunt: the fix needs to happen at the standard level, and everything else is a workaround.
For security professionals who’ve spent the last decade telling executives that WPA3 made Wi-Fi safe, this is an awkward conversation. WPA3 did improve Wi-Fi security substantially — stronger key exchange, forward secrecy, protection against offline dictionary attacks. But it didn’t address every layer of the protocol stack. The aggregation flag sits in a header field that predates modern security assumptions about what needs authentication. It was designed for performance, not adversarial conditions.
The broader lesson isn’t new but keeps getting reinforced. Protocol design decisions made for efficiency in 2009 become attack surfaces in 2026. The single unauthenticated bit that made frame aggregation slightly faster to process is now the entry point for a class of attacks that undermines the encryption layer above it. Performance optimizations have security costs. They always do.
Industry response will likely follow the usual pattern: academic paper, vendor advisories, partial patches, gradual standard revision. The 802.11 working group moves deliberately. A protocol-level fix could take two to three years to appear in a ratified amendment and longer to reach deployed hardware. In the meantime, the attack works against most Wi-Fi devices in active use today.
Don’t panic. But don’t assume your encrypted Wi-Fi is a secure transport, either. Treat it like you’d treat any untrusted network — because right now, that’s exactly what it is.
WebProNews is an iEntry Publication