#VU124570 Missing Reference to Active Allocated Resource in Cisco IOS XE - CVE-2026-20004
Published: March 25, 2026
Vulnerability identifier: #VU124570
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20004
CWE-ID: CWE-771
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper management of memory resources in the TLS library when handling TLS connection setup. A remote attacker can send a specially crafted sequence of TLS connection requests to cause a denial of service.
Exploitation can be achieved by repeatedly triggering memory allocation during TLS handshake procedures, such as through repeated EAP authentication attempts when local EAP is enabled or via machine-in-the-middle connection resets. The affected device must be configured with TLS-dependent features such as Local EAP, RadSec, SANet, or Telemetry, which are not enabled by default.
Remediation
Install security update from vendor's website.