SB20260325183 - Remote denial of service in Cisco IKEv2 implementation on IOS XE, ASA and FTD devices

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-20012)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the IKEv2 packet parser when handling IKEv2 packets. A remote attacker can send specially crafted IKEv2 packets to an affected device to trigger a memory leak, resulting in a denial of service condition.

A successful exploit on Cisco IOS and IOS XE Software may cause the device to reload, while on Cisco Secure Firewall ASA and FTD Software it may partially exhaust system memory, leading to system instability and requiring a manual reboot to recover.

Remediation

Install update from vendor's website.

References

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ios-dos-kPEpQGGK
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq01495
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq01523