CVE-2026-20013
Memory Exhaustion DoS in Cisco IKEv2 Processing
Publication date: 2026-03-04
Last updated on: 2026-04-16
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | adaptive_security_appliance_software | From 9.22.1.1 (inc) to 9.22.2.4 (exc) |
| cisco | adaptive_security_appliance_software | From 9.18.1 (inc) to 9.18.4.66 (exc) |
| cisco | adaptive_security_appliance_software | From 9.19.1 (inc) to 9.20.3.20 (exc) |
| cisco | adaptive_security_appliance_software | From 9.23.1 (inc) to 9.23.1.3 (exc) |
| cisco | firepower_threat_defense_software | From 7.3.0 (inc) to 7.4.3 (exc) |
| cisco | firepower_threat_defense_software | From 7.6.0 (inc) to 7.6.4 (exc) |
| cisco | firepower_threat_defense_software | From 7.2.0 (inc) to 7.2.11 (exc) |
| cisco | firepower_threat_defense_software | From 7.7.0 (inc) to 7.7.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20013 is a denial of service (DoS) vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA and FTD Software. It occurs because memory is not properly freed during IKEv2 packet processing, leading to memory exhaustion.
An unauthenticated, remote attacker can exploit this by sending specially crafted IKEv2 packets to the affected device, causing it to exhaust resources and enter a DoS state that requires manual device reload to recover.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service condition on affected Cisco Secure Firewall devices, making them unavailable.
Because the affected device may need to be manually reloaded after exploitation, this can disrupt network services and impact the availability of services to other devices in the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the IKEv2 feature is enabled on your Cisco Secure Firewall ASA or FTD device. Only devices with IKEv2 enabled are vulnerable.
You can use the following CLI command to check if IKEv2 is enabled:
- show running-config crypto ikev2 | include enable
What immediate steps should I take to mitigate this vulnerability?
There are no workarounds available for this vulnerability. The immediate mitigation step is to upgrade your Cisco Secure Firewall ASA or FTD Software to the fixed software versions released by Cisco.
Additionally, you should monitor your devices for signs of resource exhaustion caused by crafted IKEv2 packets and be prepared to manually reload the device if a DoS condition occurs.
Cisco also provides a Software Checker tool to help identify affected releases and fixed versions, which customers are strongly advised to use.