Description
Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to insufficient input validation, successful exploitation may terminate a critical system process, resulting in a denial-of-service condition.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient input validation within a protocol‑handling component of the HPE Aruba Networking Wireless Operating System. An unauthenticated attacker can send specially crafted network messages to the affected service, causing it to terminate a critical system process and resulting in a denial‑of‑service condition. The flaw enables disruption of service without requiring any authentication or elevated privileges.

Affected Systems

This flaw affects Hewlett Packard Enterprise’s HPE Aruba Networking Wireless Operating System, specifically the AOS‑8 and AOS‑10 operating system releases. No specific sub‑versions are listed, but any installations running these OS releases are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑high severity vulnerability. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Likely attack vector is network; the attacker need only reach the service port, no authentication, and can exploit it from an external or internal host that can reach the protocol, making it relatively easy to execute from compromised network devices or remote machines with network access.

Generated by OpenCVE AI on May 12, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba AOS security patch that resolves the input validation issue.
  • As a temporary mitigations, disable or restrict the vulnerable protocol service on the device, limiting it to trusted hosts only.
  • Configure firewalls or ACLs to block unsolicited traffic to the ports used by the vulnerable service.
  • Monitor system logs and process status for unexpected restarts, and verify that the service remains stable.

Generated by OpenCVE AI on May 12, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted network messages to the affected service. Due to insufficient input validation, successful exploitation may terminate a critical system process, resulting in a denial-of-service condition.
Title Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T18:52:50.232Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23825

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:31.573

Modified: 2026-05-12T20:16:31.573

Link: CVE-2026-23825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:45:23Z

Weaknesses