CVE-2026-23808 — Code Injection in Packard Enterprise HPE Aruba Networking Wireless Operating System

CWE-94 — Code Injection3 documents3 sources

Severity

8.1HIGHNVD

CNA5.4

EPSS

0.1%

top 77.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hewlett Packard Enterprise HPE Aruba Networking Wireless Operating System Arubanetworks Arubaos

Timeline

PublishedMar 4

Description

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5hewlett_packard_enterprise/hpe_aruba_networking_wireless_operating_system10.7.0.0 — 10.7.2.2+5

▶NVDarubanetworks/arubaos6.5.4.0 — 8.10.0.21+5

🔴Vulnerability Details

CVEList

Client Isolation Bypass via GTK Manipulation↗2026-03-04

▶

GHSA

GHSA-3xgp-5q28-4f22: A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled↗2026-03-04

▶