Cyber Resilience

CVE-2026-20086

High

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20086 is a high-severity Improper Handling of Missing Values (CWE-230) vulnerability in Cisco IOS XE (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-20086 is a vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets within Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family. The issue arises from improper handling of malformed CAPWAP packets, which could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-230: Improper Handling of Missing Special Element.

An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted, malformed CAPWAP packet to an affected device. Successful exploitation would cause the device to reload unexpectedly, leading to a DoS condition that disrupts wireless network operations until the device is manually restarted.

The Cisco Security Advisory provides details on mitigation and patch information at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dos-hnX5KGOm. Security practitioners should consult this advisory for software updates and workarounds applicable to the Catalyst CW9800 Family.

EU & UK References

Vulnerability details

A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS)…

more

condition on an affected device. This vulnerability is due to improper handling of a malformed CAPWAP packet. An attacker could exploit this vulnerability by sending a malformed CAPWAP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables unauthenticated remote DoS via malformed CAPWAP packets causing device reload, directly facilitating Endpoint Denial of Service: Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Cisco
IOS XE
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the Cisco IOS XE software to fix the improper handling of malformed CAPWAP packets, directly eliminating the vulnerability.

preventdetect

Denial-of-service protection implements mechanisms to detect and mitigate malformed CAPWAP packet floods or anomalies that trigger device reloads.

prevent

Information input validation enforces checks on CAPWAP packets to reject malformed inputs before they reach the vulnerable processing logic.

References