Description
Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack‑based buffer overflow exists in management service components accessed through the command‑line interface of HPE Aruba AOS‑8 and AOS‑10. An attacker who can authenticate with administrative rights can send specially crafted requests that cause the service to execute arbitrary code with the privileges of the underlying operating system. The flaw allows an authenticated user to break out of the intended bounds of the service and run code with elevated privileges, potentially compromising the entire host.

Affected Systems

Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System (AOS). Vulnerable components are present in the AOS‑8 and AOS‑10 operating system releases; specific patch levels are not listed in the data.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score of 0.072% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly confirmed exploits yet. Successful exploitation requires authenticated administrative access; the attack vector would be through the locally connected command‑line interface. Given the high impact and lack of known mitigations, the risk is significant for any systems running the affected operating system versions.

Generated by OpenCVE AI on May 13, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Aruba AOS firmware update that contains the vendor’s fix for the buffer overflow.
  • Limit CLI management access to a small set of trusted administrative hosts and enforce strong authentication to reduce the pool of potentially compromised credentials.
  • Segment the network to isolate management interfaces from general traffic, so that even if a local administrator account is compromised, lateral movement is constrained.

Generated by OpenCVE AI on May 13, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems. An authenticated attacker with administrative privileges could exploit these vulnerabilities by sending specially crafted requests to the affected services. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the underlying operating system.
Title Authenticated Stack-Based Buffer Overflow in PAPI Services
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T18:02:04.629Z

Reserved: 2026-05-07T21:29:03.734Z

Link: CVE-2026-44857

cve-icon Vulnrichment

Updated: 2026-05-13T18:02:00.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:44.317

Modified: 2026-05-14T18:42:02.370

Link: CVE-2026-44857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:15:08Z

Weaknesses