CVE-2026-20039
Received Received - Intake

Memory Management DoS in Cisco ASA and FTD VPN Web Server

Vulnerability report for CVE-2026-20039, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-04

Last updated on: 2026-04-16

Assigner: Cisco Systems, Inc.

Description

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-04
Last Modified
2026-04-16
Generated
2026-07-06
AI Q&A
2026-03-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
cisco adaptive_security_appliance_software From 9.17.1 (inc) to 9.18.4.57 (exc)
cisco adaptive_security_appliance_software From 9.22.1.1 (inc) to 9.22.2.4 (exc)
cisco adaptive_security_appliance_software From 9.23.1 (inc) to 9.23.1.3 (exc)
cisco adaptive_security_appliance_software From 9.12.1 (inc) to 9.16.4.84 (exc)
cisco adaptive_security_appliance_software From 9.19.1 (inc) to 9.20.3.16 (exc)
cisco firepower_threat_defense_software From 6.4.0 (inc) to 7.0.9 (exc)
cisco firepower_threat_defense_software From 7.3.0 (inc) to 7.4.3 (exc)
cisco firepower_threat_defense_software From 7.7.0 (inc) to 7.7.10 (exc)
cisco firepower_threat_defense_software From 7.1.0 (inc) to 7.2.10 (exc)
cisco firepower_threat_defense_software From 7.6.0 (inc) to 7.6.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-244 Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.

It is caused by ineffective memory management in the VPN web server, which can be exploited by an unauthenticated, remote attacker.

The attacker can send a large number of specially crafted HTTP requests to the affected device, which may cause the device to reload unexpectedly.

This results in a denial of service (DoS) condition, making the device temporarily unavailable.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition on the affected device.

An attacker exploiting this vulnerability can cause the device to reload, disrupting normal operations and potentially causing network downtime.

This can affect availability of VPN services and network security functions provided by the Cisco Secure Firewall devices.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20039. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart