CVE-2026-20051 Overview
A vulnerability in the Ethernet VPN (EVPN) Layer 2 ingress packet processing of Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500-R Series Switching Platforms could allow an unauthenticated, adjacent attacker to trigger a Layer 2 traffic loop, resulting in a denial of service (DoS) condition.
This vulnerability is due to a logic error when processing crafted Layer 2 ingress frames. An attacker could exploit this vulnerability by sending a stream of crafted Ethernet frames through the targeted device. A successful exploit could allow the attacker to cause a Layer 2 Virtual eXtensible LAN (VxLAN) traffic loop, which could oversubscribe the bandwidth on network interfaces and result in all data plane traffic being dropped.
Critical Impact
This vulnerability can cause complete data plane traffic disruption through a Layer 2 VxLAN traffic loop, requiring manual intervention to restore network operations.
Affected Products
- Cisco Nexus 3600 Platform Switches
- Cisco Nexus 9500-R Series Switching Platforms
- Devices running affected NX-OS software with EVPN configurations
Discovery Timeline
- February 25, 2026 - CVE-2026-20051 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20051
Vulnerability Analysis
The vulnerability resides in the EVPN Layer 2 ingress packet processing functionality of affected Cisco Nexus switches. When the device receives specially crafted Layer 2 Ethernet frames, a logic error in the packet processing code causes the frames to be improperly handled, resulting in a traffic loop condition.
The attack requires Layer 2 adjacency to the targeted device, meaning the attacker must be on the same network segment. No authentication is required to exploit this vulnerability, and no user interaction is necessary. The vulnerability has a changed scope, indicating that successful exploitation can impact resources beyond the vulnerable component itself.
The resulting traffic loop can completely saturate network interfaces, causing all legitimate data plane traffic to be dropped. This creates a significant availability impact for organizations relying on these switches for their network infrastructure.
Root Cause
The root cause of this vulnerability is CWE-457: Use of Uninitialized Variable. A logic error in the EVPN Layer 2 ingress packet processing code fails to properly handle certain crafted Ethernet frames, leading to the creation of a Layer 2 VxLAN traffic loop. This uninitialized or improperly initialized state causes the device to repeatedly forward traffic in a loop pattern.
Attack Vector
The attack vector requires Layer 2 adjacency to the affected device. An attacker positioned on the same network segment can send a stream of crafted Ethernet frames to the targeted switch. The attack does not require any privileges or authentication, making it relatively straightforward to execute for an attacker with physical or logical Layer 2 access.
Once the crafted frames are processed, the traffic loop begins and continues until manual intervention is performed. Network administrators must stop the crafted traffic and flap all involved network interfaces to restore normal operations. Cisco recommends contacting the Technical Assistance Center (TAC) if a Layer 2 loop related to this vulnerability is suspected.
Detection Methods for CVE-2026-20051
Indicators of Compromise
- Sudden and unexplained spikes in bandwidth utilization on network interfaces
- Layer 2 traffic loops detected in EVPN/VxLAN environments
- Complete loss of data plane traffic across affected network segments
- Interface error counters showing abnormal packet rates or drops
Detection Strategies
- Monitor network interface bandwidth utilization for unusual spikes or saturation
- Implement Layer 2 loop detection mechanisms and spanning tree protocol monitoring
- Configure SNMP traps for interface utilization thresholds and link state changes
- Review NX-OS system logs for EVPN-related error messages or warnings
Monitoring Recommendations
- Deploy network traffic analysis tools capable of detecting Layer 2 anomalies
- Establish baseline traffic patterns for EVPN environments to identify deviations
- Configure alerting for sudden changes in interface statistics or packet forwarding rates
- Maintain visibility into VxLAN overlay network health and performance metrics
How to Mitigate CVE-2026-20051
Immediate Actions Required
- Review the Cisco Security Advisory for affected software versions and available patches
- Identify all Cisco Nexus 3600 and 9500-R Series switches in your environment running EVPN configurations
- If a traffic loop is actively occurring, flap all involved network interfaces to break the loop
- Implement network segmentation to limit Layer 2 adjacency exposure where possible
Patch Information
Cisco has released a security advisory addressing this vulnerability. Administrators should consult the Cisco Security Advisory for specific software version information and upgrade guidance. Apply the recommended NX-OS software updates to affected devices as soon as possible following change management procedures.
Workarounds
- Restrict Layer 2 access to trusted network segments and devices only
- Implement 802.1X port-based network access control to limit unauthorized device access
- Deploy network access control lists (ACLs) where possible to filter traffic at network boundaries
- Monitor for and block suspicious traffic patterns at the network edge
# Example: Flap interfaces to break active traffic loop
# Execute on affected Nexus switch
configure terminal
interface ethernet 1/1-48
shutdown
no shutdown
end
copy running-config startup-config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
