CVE-2026-20048
SNMP Parsing Vulnerability in Cisco Nexus 9000 Causes DoS
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | nexus_9000_series_fabric_switches | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20048 is a high-severity vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco Nexus 9000 Series Fabric Switches operating in ACI mode.
The vulnerability arises from improper processing when parsing SNMP requests. An authenticated remote attacker can exploit this by continuously sending SNMP queries to a specific Management Information Base (MIB) on the affected device.
This causes the SNMP daemon processes to consume increasing memory, leading to an out-of-memory condition, kernel panic, and device reload, resulting in a denial of service (DoS) condition.
Exploitation requires authentication: a valid read-only SNMP community string for SNMPv1 or SNMPv2c, or valid SNMP user credentials for SNMPv3.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition on affected Cisco Nexus 9000 Series Fabric Switches in ACI mode.
An attacker who has valid SNMP authentication credentials can exploit the flaw to trigger a kernel panic, causing the device to reload and become temporarily unavailable.
This can disrupt network operations, potentially impacting availability of critical network infrastructure.
- Requires SNMP feature to be enabled.
- Requires at least one AAA provider configured using a DNS name or IPv6 address.
- Leads to increased memory usage and SNMP daemon process count before device reload.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the SNMP daemon (snmpd) processes and memory usage on affected Cisco Nexus 9000 Series Fabric Switches operating in ACI mode.'}, {'type': 'list_item', 'content': 'Check the number of snmpd processes running; an elevated and increasing number (more than 10) may indicate exploitation.'}, {'type': 'list_item', 'content': 'Monitor memory usage, especially if it exceeds 85% and continues to rise, which can signal an out-of-memory condition caused by the vulnerability.'}, {'type': 'list_item', 'content': 'Use the command `ps -eaf | grep -i snmpd` to check the running snmpd processes.'}, {'type': 'list_item', 'content': 'Use the command `free -k | awk \'NR==2 {printf "Memory-used: %.2f%%\\n", ($2-$7)/$2*100}\'` to check current memory usage.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include modifying the AAA provider configuration and applying software updates.
- If AAA providers are configured using DNS names or FQDNs, update the configuration to use IPv4 addresses instead.
- Note that no workaround exists if AAA providers are configured with IPv6 addresses.
- Strongly consider upgrading to the fixed software releases provided by Cisco to fully remediate the vulnerability.
- Monitor memory usage and snmpd process counts to detect potential exploitation.
- Contact Cisco TAC for assistance with recovery from high memory conditions caused by this vulnerability.