CVE-2026-20014
Published: 04 March 2026
Summary
CVE-2026-20014 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the IKEv2 memory leak vulnerability by applying vendor-specific patches to prevent memory exhaustion from crafted packets.
Denial-of-service protection implements mechanisms to detect and block resource exhaustion attacks like the crafted IKEv2 packet floods targeting memory.
Resource availability protects critical system resources such as memory from unauthorized depletion caused by authenticated attackers sending malformed IKEv2 packets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct memory exhaustion DoS via crafted IKEv2 packets matches Application or System Exploitation sub-technique.
NVD Description
A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, remote attacker with valid VPN user credentials to cause a DoS condition on an affected device that may also…
more
impact the availability of services to devices elsewhere in the network. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted, authenticated IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust memory, causing the device to reload.
Deeper analysisAI
CVE-2026-20014 is a vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software. The issue arises from improper processing of IKEv2 packets, enabling an authenticated remote attacker with valid VPN user credentials to trigger a denial-of-service (DoS) condition. Exploitation can exhaust memory on the affected device, leading to a reload that may also disrupt service availability for other devices in the network. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-401 (Memory Leak).
An authenticated remote attacker possessing valid VPN user credentials can exploit the vulnerability by sending crafted IKEv2 packets to the targeted device. No user interaction is required, and the low complexity (AC:L) combined with network accessibility (AV:N) and scope change (S:C) make it feasible for users with existing access. Successful attacks result in memory exhaustion, device reload, and potential broader network service disruptions without impacting confidentiality or integrity.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ikev2-dos-eBueGdEG details affected versions, exploitation conditions, and recommended mitigations or patches to address the vulnerability.
Details
- CWE(s)