CVE-2026-23824 - Vulnerability Details

- Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component

Description

Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to insufficient input validation, successful exploitation may terminate a critical system process, resulting in a denial-of-service condition.

Published: 2026-05-12

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated attacker can send specially crafted network messages to the protocol‑handling component of HPE Aruba Networking Wireless Operating System (AOS) versions 8 and 10. Because the component lacks sufficient input validation, malformed messages can terminate a critical system process, resulting in a denial‑of‑service condition. The flaw is a potential resource exhaustion issue (CWE‑400).

Affected Systems

The vulnerability affects all deployments of HPE Aruba Networking Wireless Operating System AOS 8 and AOS 10 that have not applied the vendor’s fix. No specific minor or patch version is listed, so any installation of AOS 8 or AOS 10 that includes the unpatched protocol handler is considered vulnerable. The impact concerns the critical system process responsible for network protocol handling, which is shared across all models supporting these operating systems.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Based on the description, it is inferred that an unauthenticated attacker could send crafted network messages to the vulnerable service over any open network interface, potentially terminating a critical system process and causing a denial‑of‑service. The EPSS score is not available, so the current exploitation probability is unknown, but the lack of a vulnerability in the CISA KEV catalog suggests it is not widely known as an actively exploited weakness.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Hewlett Packard Enterprise (HPE)

HPE Aruba Networking Wireless Operating System (AOS)

affected

Version	Status	Constraints
`10.8.0.0`	affected	—
`10.7.0.0`	affected	≤ 10.7.2.2
`10.4.0.0`	affected	≤ 10.4.1.10

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device to the latest AOS 8 or AOS 10 firmware that includes the vendor’s correction for this issue
If an update is not immediately available, block or rate‑limit traffic to the vulnerable service port using network firewall or access‑control list rules to reduce exposure
Continuously monitor device logs for repeated connection attempts or crash events, and verify that the device remains operational after remediation

Generated by OpenCVE AI on May 13, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

History

Wed, 13 May 2026 00:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Tue, 12 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Tue, 12 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to insufficient input validation, successful exploitation may terminate a critical system process, resulting in a denial-of-service condition.
Title		Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component
References		https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2026-05-12T18:51:54.519Z

Updated: 2026-05-12T21:10:11.372Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23824

Vulnrichment

Updated: 2026-05-12T21:10:08.485Z

NVD

Status : Received

Published: 2026-05-12T20:16:31.463

Modified: 2026-05-12T22:16:32.710

Link: CVE-2026-23824

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T01:45:16Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object