Description
A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system.








NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper handling of XML External Entities in the DHCP component of ArubaOS AOS‑8. An unauthenticated remote attacker, by sending crafted XML data, can trigger excessive memory or CPU consumption. This results in a denial‑of‑service that may shut down or slow the DHCP service, reducing the availability of network access points and connected devices.

Affected Systems

The flaw affects Hewlett Packard Enterprise's ArubaOS (AOS) DHCP services, specifically access points running ArubaOS Instant 8.x.x.x. No other HPE products or older ArubaOS versions are mentioned as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available, so the current exploitation probability cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve unauthenticated, remote requests to the DHCP service over the network. Successful exploitation requires only an ability to send XML payloads to the DHCP service; no privileged or authenticated access is needed. Once triggered, the denial‑of‑service can persist until the service is restarted or the firmware updated.

Generated by OpenCVE AI on May 12, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ArubaOS to the latest firmware version that addresses the XML handling issue.
  • If a patch is not yet available, restrict or disable XML parsing for the DHCP service or limit XML feature usage to prevent excessive resource consumption.
  • Monitor DHCP service logs and system resource usage for abnormal spikes that may indicate exploitation attempts.

Generated by OpenCVE AI on May 12, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-611

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-611

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-776
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x
Title Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:25:55.101Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23822

cve-icon Vulnrichment

Updated: 2026-05-12T19:25:49.763Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:28.947

Modified: 2026-05-13T15:35:17.550

Link: CVE-2026-23822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:44Z

Weaknesses