How to Fix CVE-2026-23810: HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) (Bundle Sibling)
By Sai Kiran Pandrala. Last verified: 2026-05-25.
CVE-2026-23810 is a sibling vulnerability in the same vendor advisory as CVE-2026-23601. Apply the same patched build and you close both. The technical detail below is what differs.
| Severity | 4.3 (Medium) |
|---|---|
| Actively exploited? | No public listing in CISA KEV |
| Affected | HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 10.8.0.0; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 10.7.0.0 to <=10.7.2.2; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 10.4.0.0 to <=10.4.1.10; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 8.13.0.0 to <=8.13.1.1; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 8.12.0.0 to <=8.12.0.6; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 8.10.0.0 to <=8.10.0.21 |
| Fixed in | Same patched build as CVE-2026-23601 |
| Type (CWE) | CWE-300 Channel Accessible by Non-Endpoint |
What's different about CVE-2026-23810?
A vulnerability in the packet processing logic may allow an authenticated attacker to craft and transmit a malicious Wi-Fi frame that causes an Access Point (AP) to classify the frame as group-addressed traffic and re-encrypt it using the Group Temporal Key (GTK) associated with the victim's BSSID. Successful exploitation may enable GTK-independent traffic injection and, when combined with a port-stealing technique, allows an attacker to redirect intercepted traffic to facilitate machine-in-the-middle (MitM) attacks across BSSID boundaries.
How to fix CVE-2026-23810
Apply the patched build per the primary write-up: How to Fix CVE-2026-23601. All commands, verification steps, and rollback notes for HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) are listed there.
Frequently asked questions
Does the CVE-2026-23601 patch close CVE-2026-23810?
Yes. Both CVEs are addressed by the same vendor patch. Applying the patched build closes the full bundle.
Is CVE-2026-23810 listed in CISA KEV?
No public KEV listing at the time of this writing.
Where is the official advisory?
See https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05026en_us&docLocale=en_US
References
- Official vendor advisory: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05026en_us&docLocale=en_US
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23810
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Primary: How to Fix CVE-2026-23601
*Written by Sai Kiran Pandrala. Part of the HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) bundle. Full procedure at how-to-fix-cve-2026-23601.*