CVE-2026-20171
Awaiting Analysis Awaiting Analysis - Queue
BGP Peer Flaps in Cisco Nexus Switches Due to Transitive Attribute Parsing

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-20171
EUVD
EUVD-2026-31135
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco nexus_3000 *
cisco nexus_9000 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-20171 is a vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches running in standalone NX-OS mode. The issue arises from incorrect parsing of a transitive BGP attribute.

An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted BGP update through an established BGP peer session. This crafted update can cause the affected device to drop the BGP session and flap with the BGP peer forwarding the update.

This results in a denial of service (DoS) condition, disrupting network operations by causing instability in BGP peer connections.

Impact Analysis

This vulnerability can impact you by causing denial of service (DoS) conditions on affected Cisco Nexus 3000 and 9000 Series Switches running standalone NX-OS with BGP enabled.

  • An attacker can remotely and without authentication trigger BGP peer flaps.
  • The affected device may drop BGP sessions, causing network instability.
  • Network operations relying on stable BGP routing could be disrupted, potentially affecting connectivity and service availability.
Detection Guidance

This vulnerability can be detected by monitoring for indicators of compromise such as BGP neighbor flapping and malformed AS path error messages in device logs.

Specifically, you should check for frequent BGP peer session drops and flaps that could indicate exploitation attempts.

While specific commands are not provided in the resources, typical NX-OS commands to monitor BGP sessions include:

  • show ip bgp summary
  • show logging | include BGP
  • show bgp neighbors

These commands help identify BGP session status and any error messages related to AS path parsing.

Mitigation Strategies

Immediate mitigation steps include applying Cisco's released software updates that fix the vulnerability.

If immediate upgrading is not possible, Cisco recommends workarounds such as disabling the enforce-first-as feature or configuring path-attribute discard or treat-as-withdraw commands to prevent exploitation.

These mitigations help prevent crafted BGP updates from causing peer flaps and denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20171. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart