CVE-2026-20004
Published: 25 March 2026
Summary
CVE-2026-20004 is a high-severity Missing Reference to Active Allocated Resource (CWE-771) vulnerability in Cisco IOS XE (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-20004 is a vulnerability in the TLS library of Cisco IOS XE Software that stems from improper management of memory resources during TLS connection setup. This flaw, classified under CWE-771, enables an unauthenticated, adjacent attacker to exhaust the available memory on an affected device, with a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
An adjacent attacker can exploit this vulnerability by repeatedly triggering memory-increasing conditions, such as attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled on the device or conducting a machine-in-the-middle attack to reset TLS connections between the device and other systems. Successful exploitation leads to memory exhaustion, causing an unexpected reload and a denial-of-service (DoS) condition on the affected device.
For mitigation details, including available patches and workarounds, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-tls-dos-TVgLDEZL.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15426
Vulnerability details
A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an affected device. This vulnerability is due to improper management of memory resources during TLS connection setup.…
more
An attacker could exploit this vulnerability by repeatedly triggering the conditions that cause the memory increase. This could be done in a variety of ways, such as by repeatedly attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled on an affected device or by using a machine-in-the-middle attack and resetting TLS connections between the affected device and other devices. A successful exploit could allow the attacker to exhaust the available memory on an affected device, resulting in an unexpected reload and a denial of service (DoS) condition.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct resource exhaustion via crafted TLS/EAP traffic leads to system crash, matching Application or System Exploitation sub-technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the specific flaw in TLS library memory management during connection setup.
Employs denial-of-service protection mechanisms to prevent memory exhaustion from repeated TLS connection triggers or resets.
Protects availability of critical resources like memory against exhaustion attacks during TLS operations.