Skip to main content

Cisco CVE-2026-20086

| EUVDEUVD-2026-15433 HIGH
Improper Handling of Missing Values (CWE-230)
2026-03-25 cisco GHSA-m53c-9wh4-q9hq
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15433
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 16:02 nvd
HIGH 8.6

DescriptionCVE.org

A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of a malformed CAPWAP packet. An attacker could exploit this vulnerability by sending a malformed CAPWAP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition.

AnalysisAI

This is a denial of service vulnerability in Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family caused by improper handling of malformed CAPWAP (Control and Provisioning of Wireless Access Points) packets. The vulnerability affects multiple versions of Cisco IOS XE Software in the 17.14.x through 17.18.x release trains. An unauthenticated remote attacker can exploit this to cause the wireless controller to reload unexpectedly, resulting in complete network disruption with a high severity CVSS score of 8.6.

Technical ContextAI

The vulnerability resides in the CAPWAP protocol implementation, which is used for communication between wireless controllers and access points in enterprise wireless networks. According to the CPE data (cpe:2.3:a:cisco:cisco_ios_xe_software), this affects Cisco IOS XE Software specifically when deployed as wireless controller software on Catalyst CW9800 series devices. The root cause is classified as CWE-230 (Improper Handling of Missing Values), indicating the software fails to properly validate or handle missing or malformed fields in CAPWAP packets before processing them. CAPWAP operates over UDP port 5246/5247 and encapsulates wireless management and data frames, making it a critical protocol for wireless network infrastructure. The improper input validation allows specially crafted packets to trigger unexpected behavior leading to device reload.

RemediationAI

Cisco recommends upgrading affected IOS XE Software installations to a fixed release as specified in the security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dos-hnX5KGOm. Organizations should consult the Cisco Security Advisory for specific fixed versions corresponding to their current release train, as Cisco typically provides fixes in subsequent maintenance releases or suggested migration paths to newer trains. As an interim mitigation until patching is complete, network administrators should implement access control lists (ACLs) to restrict CAPWAP traffic (UDP ports 5246 and 5247) to only authorized access points using known IP addresses or subnets, preventing untrusted sources from sending malformed packets to the wireless controller. Additional hardening measures include deploying the wireless controllers behind firewalls with strict ingress filtering and enabling device monitoring to detect unexpected reload events that may indicate exploitation attempts.

Share

CVE-2026-20086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy