Most people are assuming the password was brute forced rather than it being a deauthentication attack. ISP provided routers (what the majority of people use) are so badly designed and left vulnerable it should be illegal. Heck some ISPs here still refuse to use IPv6.
https://git.morello-project.org/morello/kernel/linux