Missing release of memory after effective lifetime in Cisco Systems, Inc products - CVE-2026-20012

 

Missing release of memory after effective lifetime in Cisco Systems, Inc products - CVE-2026-20012

Published: March 25, 2026


Vulnerability identifier: #VU124595
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20012
CWE-ID: CWE-401
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the IKEv2 packet parser when handling IKEv2 packets. A remote attacker can send specially crafted IKEv2 packets to an affected device to trigger a memory leak, resulting in a denial of service condition.

A successful exploit on Cisco IOS and IOS XE Software may cause the device to reload, while on Cisco Secure Firewall ASA and FTD Software it may partially exhaust system memory, leading to system instability and requiring a manual reboot to recover.


How to mitigate CVE-2026-20012

Install security update from vendor's website.

Sources