diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index e5e8d287f..9eb479563 100644
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -804,10 +804,11 @@ static const u8 * wps_registrar_get_pin(struct wps_registrar *reg,
 		/* Check for wildcard UUIDs since none of the UUID-specific
 		 * PINs matched */
 		dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
-			if (pin->wildcard_uuid == 1) {
+			if (pin->wildcard_uuid == 1 ||
+			    pin->wildcard_uuid == 2) {
 				wpa_printf(MSG_DEBUG, "WPS: Found a wildcard "
 					   "PIN. Assigned it for this UUID-E");
-				pin->wildcard_uuid = 2;
+				pin->wildcard_uuid++;
 				os_memcpy(pin->uuid, uuid, WPS_UUID_LEN);
 				found = pin;
 				break;
@@ -849,7 +850,7 @@ int wps_registrar_unlock_pin(struct wps_registrar *reg, const u8 *uuid)
 
 	dl_list_for_each(pin, &reg->pins, struct wps_uuid_pin, list) {
 		if (os_memcmp(pin->uuid, uuid, WPS_UUID_LEN) == 0) {
-			if (pin->wildcard_uuid == 2) {
+			if (pin->wildcard_uuid == 3) {
 				wpa_printf(MSG_DEBUG, "WPS: Invalidating used "
 					   "wildcard PIN");
 				return wps_registrar_invalidate_pin(reg, uuid);
@@ -2104,6 +2105,13 @@ static int wps_process_e_snonce2(struct wps_data *wps, const u8 *e_snonce2)
 	wps->wps_pin_revealed = 0;
 	wps_registrar_unlock_pin(wps->wps->registrar, wps->uuid_e);
 
+	/*
+	 * In case wildcard PIN is used and WPS handshake succeeds in the first
+	 * attempt, wps_registrar_unlock_pin() would not free the PIN, so make
+	 * sure the PIN gets invalidated here.
+	 */
+	wps_registrar_invalidate_pin(wps->wps->registrar, wps->uuid_e);
+
 	return 0;
 }