CVE-2026-20010
Published: 25 February 2026
Summary
CVE-2026-20010 is a high-severity Buffer Access with Incorrect Length Value (CWE-805) vulnerability in Cisco NX-OS Software (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and PE-3 (Physical Access Control).
Deeper analysis
CVE-2026-20010 is a vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco NX-OS Software. The issue arises from improper handling of specific fields in an LLDP frame, which could allow an unauthenticated, adjacent attacker to cause the LLDP process to restart. This may result in an affected device reloading unexpectedly, creating a denial-of-service (DoS) condition. The vulnerability is associated with CWE-805 and has a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
An unauthenticated attacker with adjacent network access can exploit this vulnerability by sending a crafted LLDP packet to an interface on an affected device. LLDP operates as a Layer 2 protocol, so the attacker must be directly connected to the target interface, either physically or logically—for example, via a Layer 2 tunnel configured to transport LLDP frames. Successful exploitation causes the device to reload, disrupting network operations.
Mitigation details and affected versions are outlined in the Cisco Security Advisory available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k_aci_lldp_dos-NdgRrrA3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8664
Vulnerability details
A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the LLDP process to restart, which could cause an affected device to reload unexpectedly. This vulnerability is due…
more
to improper handling of specific fields in an LLDP frame. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Note: LLDP is a Layer 2 link protocol. To exploit this vulnerability, an attacker would need to be directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted LLDP packet directly exploits LLDP frame handling flaw (CWE-805) to crash/restart process and trigger device reload, matching Application or System Exploitation sub-technique for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Disabling LLDP on unneeded interfaces directly eliminates the attack surface for crafted LLDP frames that trigger the DoS reload.
Boundary protection can filter or restrict LLDP traffic at device interfaces, blocking unauthenticated adjacent attackers from sending malicious frames.
Physical and logical access control to switch ports limits the ability of an attacker to obtain the direct adjacency required to exploit LLDP.