#VU124595 Missing release of memory after effective lifetime in Cisco Systems, Inc products - CVE-2026-20012
Published: March 25, 2026
Vulnerability identifier: #VU124595
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20012
CWE-ID: CWE-401
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)
Cisco IOS XE
Cisco Adaptive Security Appliance (ASA)
Cisco Firewall Threat Defense (FTD)
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the IKEv2 packet parser when handling IKEv2 packets. A remote attacker can send specially crafted IKEv2 packets to an affected device to trigger a memory leak, resulting in a denial of service condition.
A successful exploit on Cisco IOS and IOS XE Software may cause the device to reload, while on Cisco Secure Firewall ASA and FTD Software it may partially exhaust system memory, leading to system instability and requiring a manual reboot to recover.
Remediation
Install security update from vendor's website.