diff --git a/components/wpa_supplicant/src/ap/ieee802_11.c b/components/wpa_supplicant/src/ap/ieee802_11.c
index 38a71d190c..f47a9b86cc 100644
--- a/components/wpa_supplicant/src/ap/ieee802_11.c
+++ b/components/wpa_supplicant/src/ap/ieee802_11.c
@@ -426,7 +426,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
 				     struct sae_data *sae)
 {
     const struct wpabuf *groups;
-    size_t i, count;
+    size_t i, count, len;
     const u8 *pos;
 
     if (!sae->tmp)
@@ -436,7 +436,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd,
         return 0;
 
     pos = wpabuf_head(groups);
-    count = wpabuf_len(groups);
+    len = wpabuf_len(groups);
+    if (len & 1) {
+        wpa_printf(MSG_DEBUG,
+                  "SAE: Invalid length of the Rejected Groups element payload: %zu",
+                  len);
+        return 1;
+    }
+
+    count = len / 2;
     for (i = 0; i < count; i++) {
         int enabled;
         u16 group;