CVE-2026-23808

Summary

A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality.

Affected Software

VendorProductVersion RangeStatus
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)10.8.0.0affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)10.7.0.0 <= 10.7.2.2affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)10.4.0.0 <= 10.4.1.10affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)8.13.0.0 <= 8.13.1.1affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)8.12.0.0 <= 8.12.0.6affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8)8.10.0.0 <= 8.10.0.21affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References