CVE-2026-20004
Memory Exhaustion DoS in Cisco IOS XE TLS Library
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-771 | The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the TLS library of Cisco IOS XE Software and allows an unauthenticated, adjacent attacker to exhaust the available memory of an affected device.
It occurs due to improper management of memory resources during the TLS connection setup process.
An attacker can exploit this by repeatedly triggering conditions that cause memory usage to increase, such as repeatedly attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled or by performing a machine-in-the-middle attack to reset TLS connections.
Successful exploitation can lead to memory exhaustion, causing the device to unexpectedly reload and resulting in a denial of service (DoS) condition.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) on affected Cisco IOS XE devices.
An attacker can exhaust the device's memory, leading to unexpected reloads and service interruptions.
This can disrupt network availability and potentially affect business operations that rely on the affected device.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using the Cisco Software Checker tool, which helps determine exposure and identify fixed releases on your devices.
Affected devices are those configured with features that establish TLS connections such as local EAP, RadSec, Session Aware Networking (SANet), and telemetry.
There are no specific commands provided in the advisory or resources to detect this vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
There are no available workarounds for this vulnerability.
The immediate step to mitigate this vulnerability is to upgrade affected Cisco IOS XE devices to the fixed software releases provided by Cisco.
Cisco strongly recommends applying these updates as soon as possible to prevent potential denial of service conditions caused by memory exhaustion.
For assistance with upgrades and support, customers should contact Cisco Technical Assistance Center (TAC).