CVE-2026-20049
Published: 04 March 2026
Summary
CVE-2026-20049 is a high-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-13 (Predictable Failure Prevention).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the memory allocation vulnerability by requiring timely installation of vendor patches for the affected Cisco ASA/FTD software.
Prevents DoS exploitation by implementing rate limiting or connection limits on IPsec VPN traffic to block crafted GCM-encrypted IKEv2 packets.
Implements controls to prevent predictable failure modes, such as insufficient memory allocation during IPsec traffic processing, from causing device reloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables authenticated remote DoS via crafted IPsec traffic exploiting memory allocation flaw in VPN processing (directly maps to Application or System Exploitation subtechnique).
NVD Description
A vulnerability in the processing of Galois/Counter Mode (GCM)-encrypted Internet Key Exchange version 2 (IKEv2) IPsec traffic of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker…
more
to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to the allocation of an insufficiently sized block of memory. An attacker could exploit this vulnerability by sending crafted GCM-encrypted IPsec traffic to an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. To exploit this vulnerability, the attacker must have valid credentials to establish a VPN connection with the affected device.
Deeper analysisAI
CVE-2026-20049 is a vulnerability in the processing of Galois/Counter Mode (GCM)-encrypted Internet Key Exchange version 2 (IKEv2) IPsec traffic within Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The issue stems from the allocation of an insufficiently sized block of memory, classified under CWE-131, and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
An authenticated remote attacker can exploit this vulnerability by sending crafted GCM-encrypted IPsec traffic to an affected device, provided they possess valid credentials to establish a VPN connection. Successful exploitation triggers an unexpected reload of the device, resulting in a denial-of-service (DoS) condition.
For mitigation details, including available patches and workarounds, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-esp-dos-uv7yD8P5.
Details
- CWE(s)