CVE-2026-20086Improper Handling of Missing Values in Cisco IOS XE Software

CWE-230Improper Handling of Missing Values4 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.1%
top 66.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedMar 25

Description

A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of a malformed CAPWAP packet. An attacker could exploit this vulnerability by sending a malformed CAPWAP packet to an affected device. A successful exploit

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages1 packages

CVEListV5cisco/cisco_ios_xe_software10 versions+9

🔴Vulnerability Details

2
GHSA
GHSA-m53c-9wh4-q9hq: A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software2026-03-25
CVEList
CVE-2026-20086: A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software2026-03-25

📋Vendor Advisories

1
Cisco
Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family CAPWAP Denial of Service Vulnerability2026-03-25
CVE-2026-20086 — Improper Handling of Missing Values | cvebase