Cyber Resilience

CVE-2026-20012

High

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20012 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-20012 is a vulnerability in the Internet Key Exchange version 2 (IKEv2) feature affecting Cisco IOS Software, Cisco IOS XE Software, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, and Cisco Secure Firewall Threat Defense (FTD) Software. The issue stems from improper parsing of IKEv2 packets, which could allow an unauthenticated, remote attacker to trigger a memory leak and cause a denial-of-service (DoS) condition. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-401 (Memory Leak).

An attacker can exploit this vulnerability by sending crafted IKEv2 packets to an affected device. For Cisco IOS Software and IOS XE Software, a successful exploit causes the device to reload, resulting in a DoS condition. For Cisco Secure Firewall ASA Software and FTD Software, it leads to partial exhaustion of system memory, causing instability such as the inability to establish new IKEv2 VPN sessions. Recovery requires a manual reboot of the device.

The Cisco Security Advisory provides details on mitigation and available patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ios-dos-kPEpQGGK.

EU & UK References

Vulnerability details

A vulnerability in the Internet Key Exchange version 2 (IKEv2) feature of Cisco IOS Software, Cisco IOS XE Software, Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote…

more

attacker to trigger a memory leak, resulting in a denial of service (DoS) condition on an affected device. This vulnerability is due to improper parsing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit of Cisco IOS Software and IOS XE Software could allow the attacker to cause the affected device to reload, resulting in a DoS condition. A successful exploit of Cisco Secure Firewall ASA Software and Secure FTD Software could allow the attacker to partially exhaust system memory, resulting in system instability, such as the inability to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability allows unauthenticated remote attackers to send crafted IKEv2 packets causing memory leaks, device reloads, or resource exhaustion, directly enabling endpoint DoS via application/system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29910Shared CWE-401
CVE-2026-25796Shared CWE-401
CVE-2026-43506Shared CWE-401
CVE-2026-7379Shared CWE-401
CVE-2026-23095Shared CWE-401
CVE-2026-4247Shared CWE-401
CVE-2026-33856Shared CWE-401
CVE-2025-25199Shared CWE-401
CVE-2026-3650Shared CWE-401
CVE-2026-23453Shared CWE-401

Affected Assets

Internet Key Exchange
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in IKEv2 packet parsing causing memory leaks and DoS by requiring timely installation of vendor patches.

preventdetect

Protects against DoS from crafted IKEv2 packets by monitoring traffic patterns and limiting resources to prevent service disruption.

prevent

Ensures resource availability by monitoring and restricting memory usage to mitigate exhaustion from repeated exploitation of the IKEv2 memory leak.

References