● Medium · CVSS 4.3

How to Fix CVE-2026-23811: HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) (Bundle Sibling)

Q: Does the CVE-2026-23601 patch close CVE-2026-23811?

Yes. Both CVEs are addressed by the same vendor patch. Applying the patched build closes the full bundle.

Q: Is CVE-2026-23811 listed in CISA KEV?

No public KEV listing at the time of this writing.

Q: Where is the official advisory?

See https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05026en_us&docLocale=en_US

By Sai Kiran Pandrala. Last verified: 2026-05-25.

CVE-2026-23811 is a sibling vulnerability in the same vendor advisory as CVE-2026-23601. Apply the same patched build and you close both. The technical detail below is what differs.

⚡ At a glance


Severity	4.3 (Medium)
Actively exploited?	No public listing in CISA KEV
Affected	HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 10.8.0.0; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 10.7.0.0 to <=10.7.2.2; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 10.4.0.0 to <=10.4.1.10; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 8.13.0.0 to <=8.13.1.1; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 8.12.0.0 to <=8.12.0.6; HPE Aruba Networking Wireless Operating Systems (AOS-8 & AOS-10) 8.10.0.0 to <=8.10.0.21
Fixed in	Same patched build as CVE-2026-23601
Type (CWE)	CWE-300 Channel Accessible by Non-Endpoint

What's different about CVE-2026-23811?

A vulnerability in the client isolation mechanism may allow an attacker to bypass Layer 2 (L2) communication restrictions between clients and redirect traffic at Layer 3 (L3). In addition to bypassing policy enforcement, successful exploitation - when combined with a port-stealing attack - may enable a bi-directional Machine-in-the-Middle (MitM) attack.