CVE-2026-20171
BGP Peer Flaps in Cisco Nexus Switches Due to Transitive Attribute Parsing
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | nexus_3000 | * |
| cisco | nexus_9000 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-20171 is a vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches running in standalone NX-OS mode. The issue arises from incorrect parsing of a transitive BGP attribute.
An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted BGP update through an established BGP peer session. This crafted update can cause the affected device to drop the BGP session and flap with the BGP peer forwarding the update.
This results in a denial of service (DoS) condition, disrupting network operations by causing instability in BGP peer connections.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service (DoS) conditions on affected Cisco Nexus 3000 and 9000 Series Switches running standalone NX-OS with BGP enabled.
- An attacker can remotely and without authentication trigger BGP peer flaps.
- The affected device may drop BGP sessions, causing network instability.
- Network operations relying on stable BGP routing could be disrupted, potentially affecting connectivity and service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for indicators of compromise such as BGP neighbor flapping and malformed AS path error messages in device logs.
Specifically, you should check for frequent BGP peer session drops and flaps that could indicate exploitation attempts.
While specific commands are not provided in the resources, typical NX-OS commands to monitor BGP sessions include:
- show ip bgp summary
- show logging | include BGP
- show bgp neighbors
These commands help identify BGP session status and any error messages related to AS path parsing.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying Cisco's released software updates that fix the vulnerability.
If immediate upgrading is not possible, Cisco recommends workarounds such as disabling the enforce-first-as feature or configuring path-attribute discard or treat-as-withdraw commands to prevent exploitation.
These mitigations help prevent crafted BGP updates from causing peer flaps and denial of service.