CVE-2026-20004Missing Reference to Active Allocated Resource in Cisco IOS XE Software

CWE-771Missing Reference to Active Allocated Resource4 documents4 sources
Severity
7.4HIGHNVD
EPSS
0.0%
top 91.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedMar 25

Description

A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an affected device. This vulnerability is due to improper management of memory resources during TLS connection setup. An attacker could exploit this vulnerability by repeatedly triggering the conditions that cause the memory increase. This could be done in a variety of ways, such as by repeatedly attempting Extensible Authentication Protocol (EAP) authe

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 2.8 | Impact: 4.0

Affected Packages1 packages

CVEListV5cisco/cisco_ios_xe_software180 versions+179

🔴Vulnerability Details

2
CVEList
CVE-2026-20004: A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an af2026-03-25
GHSA
GHSA-xp4f-63f5-wmm9: A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an af2026-03-25

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software TLS Memory Exhaustion Denial of Service Vulnerability2026-03-25
CVE-2026-20004 — Cisco IOS XE Software vulnerability | cvebase