CVE-2026-23808
Received
Received - Intake
GTK Injection Vulnerability in Wireless Roaming Protocol Enables Remote Attacks
Publication date: 2026-03-04
Last updated on: 2026-03-09
Assigner: Hewlett Packard Enterprise (HPE)
Description
Description
A vulnerability has been identified in a standardized wireless roaming protocol that could enable a malicious actor to install an attacker-controlled Group Temporal Key (GTK) on a client device. Successful exploitation of this vulnerability could allow a remote malicious actor to perform unauthorized frame injection, bypass client isolation, interfere with cross-client traffic, and compromise network segmentation, integrity, and confidentiality.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arubanetworks | arubaos | From 10.3.0.0 (inc) to 10.4.1.10 (inc) |
| arubanetworks | arubaos | From 10.5.0.0 (inc) to 10.7.2.2 (inc) |
| arubanetworks | arubaos | From 6.5.4.0 (inc) to 8.10.0.21 (inc) |
| arubanetworks | arubaos | From 8.11.0.0 (inc) to 8.12.0.6 (inc) |
| arubanetworks | arubaos | From 8.13.0.0 (inc) to 8.13.1.1 (inc) |
| arubanetworks | arubaos | 10.8.0.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
