Description
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition.

This vulnerability is due to improperly validating input by the OSPF protocol when parsing packets. An attacker could exploit this vulnerability by by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.
Published: 2026-03-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Memory Exhaustion
Action: Apply Patch
AI Analysis

Impact

An authenticated user on a network adjacent to the device can exploit a flaw in the OSPF protocol implementation on Cisco Secure Firewall appliances. The protocol fails to properly validate incoming OSPF packets, allowing an attacker to send crafted messages that cause the system to allocate memory uncontrollably. If the injection succeeds, the device exhausts its memory, leading to a service interruption or reboot.

Affected Systems

The vulnerability affects Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. No specific version range is provided in the advisory, so all releases that use the affected OSPF implementation are potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity rating. The EPSS score of less than 1% reflects a very low likelihood of observed exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely abused. The exploit requires an authenticated attacker on an adjacent network who can send specially crafted OSPF packets; it does not rely on a public internet surface.

Generated by OpenCVE AI on April 18, 2026 at 09:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest ASA/FTD firmware release that resolves the OSPF memory exhaustion flaw, as detailed in Cisco’s official advisory.
  • Disable OSPF on interfaces that do not require it or restrict OSPF packets to trusted sources only, thereby reducing the attack surface.
  • Deploy monitoring and alerting for abnormal memory usage and OSPF-related activity, and trigger remediation actions when thresholds are exceeded.

Generated by OpenCVE AI on April 18, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title OSPF Memory Exhaustion Leading to Denial of Service in Cisco Secure Firewall Devices

Thu, 16 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cisco firepower Threat Defense Software
CPEs cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.10:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.11:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.12:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.13:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.14:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.15:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.16:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.17:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.18:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.4:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.5:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.6:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.7:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.8:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0.9:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:6.4.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.6.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.10.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.10:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.4:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.5:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.6:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.8:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.2.9:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.3.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.1.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.2.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.2.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.2.4:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.7.0:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.7.10.1:*:*:*:*:*:*:*
cpe:2.3:a:cisco:firepower_threat_defense_software:7.7.10:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
Vendors & Products Cisco firepower Threat Defense Software

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improperly validating input by the OSPF protocol when parsing packets. An attacker could exploit this vulnerability by by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Cisco Adaptive Security Appliance Software Firepower Threat Defense Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T21:30:11.471Z

Reserved: 2025-10-08T11:59:15.352Z

Link: CVE-2026-20021

cve-icon Vulnrichment

Updated: 2026-03-04T21:30:06.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T19:16:12.150

Modified: 2026-04-16T20:36:40.847

Link: CVE-2026-20021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses