CVE-2026-20004
Received Received - Intake
Memory Exhaustion DoS in Cisco IOS XE TLS Library

Publication date: 2026-03-25

Last updated on: 2026-03-25

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an affected device. This vulnerability is due to improper management of memory resources during TLS connection setup. An attacker could exploit this vulnerability by repeatedly triggering the conditions that cause the memory increase. This could be done in a variety of ways, such as by repeatedly attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled on an affected device or by using a machine-in-the-middle attack and resetting TLS connections between the affected device and other devices. A successful exploit could allow the attacker to exhaust the available memory on an affected device, resulting in an unexpected reload and a denial of service (DoS) condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20004
EUVD
EUVD-2026-15426
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisco ios_xe *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-771 The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the TLS library of Cisco IOS XE Software and allows an unauthenticated, adjacent attacker to exhaust the available memory of an affected device.

It occurs due to improper management of memory resources during the TLS connection setup process.

An attacker can exploit this by repeatedly triggering conditions that cause memory usage to increase, such as repeatedly attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled or by performing a machine-in-the-middle attack to reset TLS connections.

Successful exploitation can lead to memory exhaustion, causing the device to unexpectedly reload and resulting in a denial of service (DoS) condition.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) on affected Cisco IOS XE devices.

An attacker can exhaust the device's memory, leading to unexpected reloads and service interruptions.

This can disrupt network availability and potentially affect business operations that rely on the affected device.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by using the Cisco Software Checker tool, which helps determine exposure and identify fixed releases on your devices.

Affected devices are those configured with features that establish TLS connections such as local EAP, RadSec, Session Aware Networking (SANet), and telemetry.

There are no specific commands provided in the advisory or resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

There are no available workarounds for this vulnerability.

The immediate step to mitigate this vulnerability is to upgrade affected Cisco IOS XE devices to the fixed software releases provided by Cisco.

Cisco strongly recommends applying these updates as soon as possible to prevent potential denial of service conditions caused by memory exhaustion.

For assistance with upgrades and support, customers should contact Cisco Technical Assistance Center (TAC).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart