CVE-2026-20012
Memory Leak in Cisco IKEv2 Causes Remote Denial of Service
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_software | * |
| cisco | ios_xe_software | * |
| cisco | secure_firewall_adaptive_security_appliance_asa_software | * |
| cisco | secure_firewall_threat_defense_ftd_software | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Internet Key Exchange version 2 (IKEv2) feature of several Cisco software products, including Cisco IOS, IOS XE, Secure Firewall ASA, and Secure Firewall Threat Defense. It is caused by improper parsing of IKEv2 packets, which allows an unauthenticated remote attacker to send specially crafted IKEv2 packets that trigger a memory leak.
Exploiting this vulnerability can cause different effects depending on the affected software: for Cisco IOS and IOS XE, the device may reload, causing a denial of service (DoS). For Cisco Secure Firewall ASA and Threat Defense, the exploit can partially exhaust system memory, leading to system instability and the inability to establish new IKEv2 VPN sessions. Recovery requires a manual reboot of the device.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service condition on affected Cisco devices. An attacker can remotely trigger a memory leak that may cause the device to reload or become unstable.
- For Cisco IOS and IOS XE devices, the impact is a device reload, resulting in downtime.
- For Cisco Secure Firewall ASA and Threat Defense devices, the impact is partial memory exhaustion, leading to system instability and failure to establish new IKEv2 VPN sessions.
In both cases, the device requires a manual reboot to recover, which can disrupt network operations and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should monitor for unusual device reloads or system instability related to IKEv2 VPN sessions, as exploitation causes memory leaks leading to denial of service.
Since the vulnerability is triggered by crafted IKEv2 packets, restricting or filtering IKEv2 traffic from untrusted sources may help reduce exposure.
If a device becomes unstable or reloads due to this vulnerability, a manual reboot is required to recover.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your network or system, you should first check if the affected devices have IKEv2 VPN features enabled and if the relevant UDP ports are open.
- On Cisco IOS and IOS XE devices, check if UDP ports 500 or 4500 are open using the CLI commands: `show ip socket | include 500` or `show udp | include 500`.
- If these ports are open, verify if IKEv2 is used by checking for an IKEv2 profile in the crypto map configuration with the command: `show crypto map`.
- On Cisco Secure Firewall ASA or FTD devices, verify IKEv2 enablement using the command: `show running-config crypto ikev2 | include enable`.
No workarounds exist for this vulnerability, so detection focuses on confirming the presence and use of IKEv2 on affected devices.