Description
A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged user on the underlying operating system, potentially leading to a system compromise. Exploitation may also result in a denial-of-service (DoS) condition affecting the impacted system process.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap‑based buffer overflow (CWE‑122) in the Network Management Service of the Aruba AOS firmware. An attacker who can reach the service can send crafted input that overflows a heap buffer, allowing the execution of arbitrary code with the privileges of the underlying operating system. The flaw can also cause the service to crash, resulting in a denial‑of‑service condition.

Affected Systems

Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) firmware includes AOS‑8 and AOS‑10 in its Network Management Service. The flaw exists in these firmware releases, as referenced in the official description, although specific version ranges are not listed in the CNA data.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, and the EPSS score of <1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker can reach the Network Management Service from a remote source, so timely remediation is essential.

Generated by OpenCVE AI on May 13, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Aruba OS firmware patch provided by HPE in the support documentation (https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US).
  • Configure firewall or ACL rules to restrict external access to the Network Management Service to trusted IP ranges or a dedicated management VLAN, preventing unauthenticated traffic.
  • Continuously monitor network traffic and system logs for activity targeted at the management interface, and investigate and block any unauthorized access attempts.

Generated by OpenCVE AI on May 13, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged user on the underlying operating system, potentially leading to a system compromise. Exploitation may also result in a denial-of-service (DoS) condition affecting the impacted system process.
Title Unauthenticated Remote Code Execution via Heap Buffer Overflow in Network Management Service
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T15:41:39.174Z

Reserved: 2026-01-16T15:22:49.225Z

Link: CVE-2026-23827

cve-icon Vulnrichment

Updated: 2026-05-13T15:41:21.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:31.797

Modified: 2026-05-15T12:45:03.770

Link: CVE-2026-23827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:45:04Z

Weaknesses