CVE-2026-20082
Received Received - Intake
TCP SYN Flood Handling Flaw in Cisco ASA Causes DoS

Publication date: 2026-03-04

Last updated on: 2026-05-04

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly. This vulnerability is due to improper handling of new, incoming TCP connections that are destined to management or data interfaces when the device is under a TCP SYN flood attack. An attacker could exploit this vulnerability by sending a crafted stream of traffic to an affected device. A successful exploit could allow the attacker to prevent all incoming TCP connections to the device from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all network protocols that are TCP-based. This results in a denial of service (DoS) condition for affected features.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-05-04
Generated
2026-05-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20082
EUVD
EUVD-2026-9471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisco adaptive_security_appliance_software From 9.20.4.14 (inc) to 9.20.4.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20082 is a high-severity vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software version 9.20.4.14. It occurs due to improper handling of embryonic TCP connection limits during TCP SYN flood attacks.

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted stream of TCP SYN packets to the device. This causes the device to incorrectly drop incoming TCP SYN packets destined for management or data interfaces.

As a result, the device prevents all incoming TCP connections from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all TCP-based network protocols, leading to a denial of service (DoS) condition.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service (DoS) condition on affected Cisco Secure Firewall ASA devices.

An attacker exploiting this issue can prevent all incoming TCP connections, which includes blocking remote management access and Remote Access VPN (RAVPN) connections.

This disruption affects critical device functionality and network operations, potentially causing significant operational impact.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, Cisco recommends upgrading to the fixed software release 9.20.4.19 of Cisco Secure Firewall ASA Software.

There are no workarounds available for this vulnerability, so applying the software update is the primary mitigation step.

Ensure device compatibility and sufficient memory before upgrading, and contact Cisco TAC for assistance if needed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart