● Medium · CVSS 5.4

How to Fix CVE-2026-23809: HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) (Bundle Sibling)

Q: Does the CVE-2026-23601 patch close CVE-2026-23809?

Yes. Both CVEs are addressed by the same vendor patch. Applying the patched build closes the full bundle.

Q: Is CVE-2026-23809 listed in CISA KEV?

No public KEV listing at the time of this writing.

Q: Where is the official advisory?

See https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05026en_us&docLocale=en_US

By Sai Kiran Pandrala. Last verified: 2026-05-25.

CVE-2026-23809 is a sibling vulnerability in the same vendor advisory as CVE-2026-23601. Apply the same patched build and you close both. The technical detail below is what differs.

⚡ At a glance


Severity	5.4 (Medium)
Actively exploited?	No public listing in CISA KEV
Affected	HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) 10.8.0.0; HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) 10.7.0.0 to <=10.7.2.2; HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) 10.4.0.0 to <=10.4.1.10; HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) 8.13.0.0 to <=8.13.1.1; HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) 8.12.0.0 to <=8.12.0.6; HPE Aruba Networking Wireless Operating System (AOS-10 & AOS-8) 8.10.0.0 to <=8.10.0.21
Fixed in	Same patched build as CVE-2026-23601
Type (CWE)	CWE-400 Uncontrolled Resource Consumption

What's different about CVE-2026-23809?

A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation may enable an attacker to redirect and intercept the victim's network traffic, potentially resulting in eavesdropping, session hijacking, or denial of service.