Description
A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network.

This vulnerability is due to memory exhaustion caused by not freeing memory during IKEv2 packet processing. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust resources, causing a DoS condition that will eventually require the device to manually reload.
Published: 2026-03-04
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An unauthenticated remote attacker can send specially crafted IKEv2 packets to a Cisco Secure Firewall ASA or FTD device, causing memory not to be freed during packet processing. The resulting memory exhaustion can exhaust device resources and trigger a DoS condition that ultimately requires a manual reload. The impact is limited to availability of the targeted firewall and may extend to services on downstream network devices if the firewall becomes unresponsive.

Affected Systems

Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. No specific affected versions are listed in the advisory; users should verify firmware download dates or consult the Cisco Security Advisory referenced for details.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity; the EPSS score of less than 1% suggests a very low exploitation probability at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote over the network, requiring no authentication and an attacker must be able to reach the device's IKEv2 interface.

Generated by OpenCVE AI on April 16, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco ASA or FTD firmware release that addresses the IKEv2 memory exhaustion issue.
  • Configure firewall rules or access lists to restrict inbound IKEv2 traffic to trusted peers only, reducing exposure to crafted packets.
  • Monitor device memory usage and IKEv2 traffic patterns; schedule periodic reloads or alerts when thresholds are exceeded to restore availability.

Generated by OpenCVE AI on April 16, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco firepower Threat Defense Software
CPEs cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
Vendors & Products Cisco firepower Threat Defense Software

Thu, 16 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Memory Exhaustion in IKEv2 Causing Remote DoS on Cisco ASA and FTD

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to memory exhaustion caused by not freeing memory during IKEv2 packet processing. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust resources, causing a DoS condition that will eventually require the device to manually reload.
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Cisco Adaptive Security Appliance Software Firepower Threat Defense Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T21:39:15.837Z

Reserved: 2025-10-08T11:59:15.350Z

Link: CVE-2026-20013

cve-icon Vulnrichment

Updated: 2026-03-04T21:39:12.623Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T18:16:15.113

Modified: 2026-04-16T20:11:44.773

Link: CVE-2026-20013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses