Cisco IOS XE Software TLS Memory Exhaustion Denial of Service Vulnerability

Monitor7.4cisco-sa-iosxe-tls-dos-TVgLDEZLMar 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the TLS library of Cisco IOS XE Software (versions 16.10.1 through 17.9.6b) allows an unauthenticated attacker on the same network segment to exhaust device memory by repeatedly initiating TLS connection attempts or EAP authentication requests, or by performing machine-in-the-middle attacks that reset TLS connections. The device improperly manages memory during TLS setup, failing to release memory when connections fail. Successful exploitation causes the affected device to run out of memory, triggering an unexpected reload and denial of service. Cisco has released software updates to address this issue. No workarounds are available.

What this means

What could happen

An attacker on the same network segment could force a Cisco IOS XE device to run out of memory and crash, causing the device to reboot and disrupt network connectivity or control functions. This is a denial of service attack that could affect routing, switching, or WAN connectivity.

Who's at risk

Network operators running Cisco IOS XE software on core routers, edge routers, WAN aggregation devices, or switches in versions 16.10.1 through 17.9.6b should prioritize this issue. Any device exposed to untrusted adjacent network segments or performing EAP authentication is at risk.

How it could be exploited

An attacker on the same network segment (adjacent network access) repeatedly initiates TLS connection attempts or EAP authentication requests against the device, or performs a machine-in-the-middle attack to reset TLS connections. Each failed connection attempt consumes memory that is not properly released, eventually exhausting available memory and forcing a device reload.

Prerequisites

Adjacent network access (same broadcast domain or directly connected network segment)
Device must have EAP authentication enabled (if using EAP attack path) or be a target of TLS connection reset attacks
No authentication credentials required

Remotely exploitable (adjacent network)No authentication requiredLow complexity attackAffects network availability and continuityActively exploited in wild (KEV status unknown, monitor for exploitation)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Cisco IOS XE Software TLS Memory Exhaustion16.10.1 through 17.9.6bFix available

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf immediate patching is not possible, disable EAP authentication on the device if not operationally required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS XE Software to version 17.9.7 or later (or patched version within 16.10.x or 17.x lines if available)

Long-term hardening

0/2

HARDENINGRestrict network access to the device to only trusted adjacent networks using VLAN segmentation or access control lists

HARDENINGMonitor device memory utilization and CPU usage for unusual increases that may indicate ongoing memory exhaustion attempts

CVEs (1)

CVE-2026-20004

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1364c99e-72df-4672-a6f1-3791cd6225fd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.