Cisco IOS XR Egress Packet Network Interface Aligner Interrupt Denial of Service Vulnerability

Monitor6.8cisco-sa-xrncs-epni-int-dos-TWMffUsNMar 11, 2026

CiscoTransportation

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in Cisco IOS XR Software affects the Egress Packet Network Interface (EPNI) Aligner interrupt handling on Cisco NCS 5500 Series routers (with NC57 line cards) and Cisco NCS 5700 routers. When an EPNI Aligner interrupt is triggered during heavy traffic, packet corruption can occur, causing the network processing unit (NPU) and ASIC to stop processing traffic. An unauthenticated remote attacker can exploit this by sending continuous crafted packets to an interface, causing persistent packet loss and denial of service. Cisco has released software updates to address this vulnerability. No workarounds are available.

What this means

What could happen

An attacker can send malicious traffic to cause the network processor to stop handling packets on an affected router interface, resulting in complete traffic loss on that interface and causing network outages.

Who's at risk

Organizations operating Cisco NCS 5500 Series routers with NC57 line cards or Cisco NCS 5700 routers in transportation networks and other critical network segments should review this advisory. These devices typically serve as core or distribution routers handling traffic aggregation.

How it could be exploited

An attacker with network access to an affected Cisco NCS 5500 or NCS 5700 router sends a continuous flow of specially crafted packets to an interface during heavy traffic conditions. This triggers corruption of the EPNI Aligner, causing the NPU and ASIC to crash and stop processing all traffic on that interface.

Prerequisites

Network-accessible interface on a Cisco NCS 5500 Series router with NC57 line card or Cisco NCS 5700 router
Heavy transit traffic flowing through the target interface at time of attack

Remotely exploitableNo authentication requiredHigh impact denial of service on critical network infrastructureAffects devices in critical network segments

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

IOS XR SoftwareAll versionsFix available

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDImplement ingress rate limiting or traffic policing on router interfaces to restrict packet flow rates

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Cisco IOS XR software update that patches the EPNI Aligner interrupt handling vulnerability

Long-term hardening

0/1

HARDENINGIsolate affected NCS 5500/5700 routers on a protected network segment with access controls to limit traffic sources

CVEs (1)

CVE-2026-20118

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1920ac28-0185-4f87-be9e-800050a223e8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.