Cyber Resilience

CVE-2026-20004

High

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0008 22.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20004 is a high-severity Missing Reference to Active Allocated Resource (CWE-771) vulnerability in Cisco IOS XE (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-20004 is a vulnerability in the TLS library of Cisco IOS XE Software that stems from improper management of memory resources during TLS connection setup. This flaw, classified under CWE-771, enables an unauthenticated, adjacent attacker to exhaust the available memory on an affected device, with a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

An adjacent attacker can exploit this vulnerability by repeatedly triggering memory-increasing conditions, such as attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled on the device or conducting a machine-in-the-middle attack to reset TLS connections between the device and other systems. Successful exploitation leads to memory exhaustion, causing an unexpected reload and a denial-of-service (DoS) condition on the affected device.

For mitigation details, including available patches and workarounds, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-tls-dos-TVgLDEZL.

EU & UK References

Vulnerability details

A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an affected device. This vulnerability is due to improper management of memory resources during TLS connection setup.…

more

An attacker could exploit this vulnerability by repeatedly triggering the conditions that cause the memory increase. This could be done in a variety of ways, such as by repeatedly attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled on an affected device or by using a machine-in-the-middle attack and resetting TLS connections between the affected device and other devices. A successful exploit could allow the attacker to exhaust the available memory on an affected device, resulting in an unexpected reload and a denial of service (DoS) condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct resource exhaustion via crafted TLS/EAP traffic leads to system crash, matching Application or System Exploitation sub-technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3039Shared CWE-771

Affected Assets

Cisco
IOS XE
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the specific flaw in TLS library memory management during connection setup.

prevent

Employs denial-of-service protection mechanisms to prevent memory exhaustion from repeated TLS connection triggers or resets.

prevent

Protects availability of critical resources like memory against exhaustion attacks during TLS operations.

References