Skip to main content

Cisco CVE-2026-20039

HIGH
Improper Clearing of Heap Memory Before Release ('Heap Inspection') (CWE-244)
2026-03-04 psirt@cisco.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Apr 16, 2026 - 20:07 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 04, 2026 - 18:16 nvd
HIGH 8.6

DescriptionCVE.org

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

AnalysisAI

Unauthenticated remote attackers can trigger a denial of service against Cisco Secure Firewall ASA and FTD devices by sending crafted HTTP requests to the VPN web server, exploiting ineffective memory management to force device reloads. The vulnerability requires no authentication or user interaction and affects all network-exposed instances. No patch is currently available.

Technical ContextAI

in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could al

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-20039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy