CVE-2026-20033
Published: 25 February 2026
Summary
CVE-2026-20033 is a high-severity Buffer Access with Incorrect Length Value (CWE-805) vulnerability in Cisco Nexus (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-20033 is a vulnerability affecting Cisco Nexus 9000 Series Fabric Switches operating in ACI mode. The issue arises from insufficient validation when processing specific Ethernet frames on the out-of-band (OOB) management interface, which could allow an unauthenticated adjacent attacker to trigger a denial of service (DoS) condition. Published on 2026-02-25, it carries a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-805.
An adjacent attacker can exploit this vulnerability by sending a crafted Ethernet frame to the OOB management interface of an affected device. Successful exploitation causes the device to reload unexpectedly, leading to a DoS condition. Only the OOB management interface is impacted.
The Cisco Security Advisory provides details on mitigation and patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cpdos-qLsv6pFD.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8665
Vulnerability details
A vulnerability in Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation when processing specific…
more
Ethernet frames. An attacker could exploit this vulnerability by sending a crafted Ethernet frame to the management interface of an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. Note: Only the out-of-band (OOB) management interface is affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated adjacent attackers to send crafted frames triggering device reload/crash, directly mapping to endpoint DoS via system exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs, addressing the root cause of insufficient Ethernet frame validation on the OOB interface.
Enforces boundary protections that can restrict or filter traffic to the OOB management interface from adjacent attackers.
Implements denial-of-service protection mechanisms to prevent crafted frames from triggering device reloads.