CISCO Security Advisory
Published Date: May 20, 2026
CVE: CVE-2026-20171
Advisory Summary
ā¯—ALERT Medium Severity BGP Denial of Service Vulnerability in Cisco Nexus 3000 and 9000 Series Switches
A critical vulnerability identified as CVE-2026-20171 affects the Border Gateway Protocol (BGP) enforce-first-AS feature on Cisco Nexus 3000 and 9000 Series Switches running in standalone NX-OS mode. Due to improper parsing of a transitive BGP attribute, an unauthenticated remote attacker can inject a crafted BGP update into an established BGP peer session. This malicious update forces the affected switches to drop and flap BGP sessions repeatedly, resulting in denial of service (DoS) conditions that can disrupt network stability and routing integrity.
Cisco has issued security patches to remediate this vulnerability and recommends promptly applying the provided software updates. In the interim, mitigating workarounds are also outlined to reduce exposure risks. Network operators using Nexus 3000 or 9000 Series platforms should prioritize reviewing and installing the updates to ensure continuity of BGP routing and avoid potential service outages caused by session flapping.
This vulnerability highlights the ongoing risks in dynamic routing protocol implementations within critical data center networking hardware and underscores the necessity of vigilant patch management.
Reference: Vendor Advisory