FKIE_CVE-2026-20118

Vulnerability from fkie_nvd - Published: 2026-03-11 17:16 - Updated: 2026-03-12 21:08
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Summary
A vulnerability in the handling of an Egress Packet Network Interface (EPNI) Aligner interrupt in Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series with NC57 line cards and Cisco NCS 5700 Routers and Cisco IOS XR Software for Third Party Software could allow an unauthenticated, remote attacker to cause the network processing unit (NPU) and ASIC to stop processing, preventing traffic from traversing the interface. This vulnerability is due to the corruption of packets in specific cases when an EPNI Aligner interrupt is triggered while an affected device is experiencing heavy transit traffic. An attacker could exploit this vulnerability by sending a continuous flow of crafted packets to an interface of the affected device. A successful exploit could allow the attacker to cause persistent, heavy packet loss, resulting in a denial of service (DoS) condition. Note: If active exploitation of this vulnerability is suspected, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider. Cisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates. This change was made because the affected device operates within a critical network segment where compromise could lead to significant disruption or exposure, thereby elevating the overall risk beyond the base technical severity.
References
psirt@cisco.comhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrncs-epni-int-dos-TWMffUsN
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the handling of an Egress Packet Network Interface (EPNI) Aligner interrupt in Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series with NC57 line cards and Cisco NCS 5700 Routers and Cisco IOS XR Software for Third Party Software could allow an unauthenticated, remote attacker to cause the network processing unit (NPU) and ASIC to stop processing, preventing traffic from traversing the interface.\r\n\r\nThis vulnerability is due to the corruption of packets in specific cases when an EPNI Aligner interrupt is triggered while an affected device is experiencing heavy transit traffic. An attacker could exploit this vulnerability by sending a continuous flow of crafted packets to an interface of the affected device. A successful exploit could allow the attacker to cause persistent, heavy packet loss, resulting in a denial of service (DoS) condition.\r\nNote: If active exploitation of this vulnerability is suspected, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider.\r\nCisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates. This change was made because the affected device operates within a critical network segment where compromise could lead to significant disruption or exposure, thereby elevating the overall risk beyond the base technical severity."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el manejo de una interrupci\u00f3n del alineador de la interfaz de red de paquetes de salida (EPNI) en el software Cisco IOS XR para las series Cisco Network Convergence System (NCS) 5500 con tarjetas de l\u00ednea NC57 y los routers Cisco NCS 5700 y el software Cisco IOS XR para software de terceros podr\u00eda permitir a un atacante remoto no autenticado que la unidad de procesamiento de red (NPU) y el ASIC dejen de procesar, impidiendo que el tr\u00e1fico atraviese la interfaz.\n\nEsta vulnerabilidad se debe a la corrupci\u00f3n de paquetes en casos espec\u00edficos cuando se activa una interrupci\u00f3n del alineador EPNI mientras un dispositivo afectado experimenta un tr\u00e1fico de tr\u00e1nsito intenso. Un atacante podr\u00eda explotar esta vulnerabilidad enviando un flujo continuo de paquetes manipulados a una interfaz del dispositivo afectado. Un exploit exitoso podr\u00eda permitir al atacante causar una p\u00e9rdida de paquetes persistente e intensa, lo que resultar\u00eda en una condici\u00f3n de denegaci\u00f3n de servicio (DoS).\nNota: Si se sospecha de una explotaci\u00f3n activa de esta vulnerabilidad, p\u00f3ngase en contacto con el Centro de Asistencia T\u00e9cnica (TAC) de Cisco o con su proveedor de mantenimiento contratado.\nCisco ha asignado a este aviso de seguridad una Calificaci\u00f3n de Impacto de Seguridad (SIR) de Alta en lugar de Media, como indica la puntuaci\u00f3n. Este cambio se realiz\u00f3 porque el dispositivo afectado opera dentro de un segmento de red cr\u00edtico donde un compromiso podr\u00eda provocar una interrupci\u00f3n o exposici\u00f3n significativa, elevando as\u00ed el riesgo general m\u00e1s all\u00e1 de la gravedad t\u00e9cnica base."
    }
  ],
  "id": "CVE-2026-20118",
  "lastModified": "2026-03-12T21:08:22.643",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 4.0,
        "source": "psirt@cisco.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-11T17:16:56.223",
  "references": [
    {
      "source": "psirt@cisco.com",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrncs-epni-int-dos-TWMffUsN"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-460"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.