CVE-2026-20074: Cisco IOS XR IS-IS DoS Vulnerability

CVE-2026-20074 Overview

A vulnerability exists in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software that could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly. This vulnerability stems from insufficient input validation of ingress IS-IS packets, enabling an attacker who has established an adjacency with an affected device to send crafted IS-IS packets that trigger a denial of service condition.

Critical Impact

Successful exploitation allows an adjacent attacker to cause the IS-IS routing process to restart, resulting in temporary loss of connectivity to advertised networks and a denial of service (DoS) condition affecting network routing stability.

Affected Products

• Cisco IOS XR Software with IS-IS multi-instance routing feature enabled
• Network devices running vulnerable versions of Cisco IOS XR
• Routing infrastructure utilizing IS-IS protocol adjacencies

Discovery Timeline

• 2026-03-11 - CVE CVE-2026-20074 published to NVD
• 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-20074

Vulnerability Analysis

This vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input), indicating a fundamental flaw in how the IS-IS process handles incoming protocol packets. The IS-IS protocol operates at Layer 2 of the OSI model, functioning as a link-state routing protocol used primarily in service provider and enterprise backbone networks to exchange routing information.

The vulnerability requires the attacker to be Layer 2-adjacent to the target device, meaning they must have direct network connectivity at the data link layer. Additionally, the attacker must first establish an IS-IS adjacency with the target device before exploitation is possible. Once these conditions are met, specially crafted IS-IS packets can trigger unexpected process restarts, disrupting the routing table and causing network instability.

Root Cause

The root cause lies in insufficient input validation of ingress IS-IS packets within the Cisco IOS XR Software. When the IS-IS multi-instance routing feature processes incoming packets from adjacent neighbors, certain malformed or crafted packet contents are not properly validated before processing. This allows an attacker who has formed a valid IS-IS adjacency to inject packets that cause the IS-IS process to enter an unexpected state and restart.

Attack Vector

The attack requires the adversary to be positioned on an adjacent network segment (Layer 2 adjacent) to the target Cisco IOS XR device. The attacker must first successfully form an IS-IS adjacency with the affected device, which requires knowledge of the IS-IS domain configuration and potentially authentication credentials if IS-IS authentication is enabled.

Once adjacency is established, the attacker can send specially crafted IS-IS Link State Protocol Data Units (LSPs) or other IS-IS packet types that exploit the input validation weakness. The crafted packets cause the IS-IS process to restart, temporarily removing the device's routes from the network topology and causing traffic disruption until the process recovers and adjacencies are re-established.

Detection Methods for CVE-2026-20074

Indicators of Compromise

• Unexpected IS-IS process restarts logged in system messages on Cisco IOS XR devices
• Repeated IS-IS adjacency flaps with specific neighboring devices
• Abnormal or malformed IS-IS packets observed in network captures
• Syslog entries indicating IS-IS process crashes or core dumps

Detection Strategies

• Monitor IS-IS process stability through Cisco IOS XR system logging and SNMP traps
• Implement packet capture at Layer 2 boundaries to identify anomalous IS-IS traffic patterns
• Configure alerting for repeated IS-IS adjacency state changes in network management systems
• Review IS-IS neighbor tables for unexpected or unauthorized adjacencies

Monitoring Recommendations

• Enable detailed IS-IS process logging on all affected Cisco IOS XR devices
• Deploy network monitoring solutions that track IS-IS topology changes and convergence events
• Establish baseline metrics for IS-IS process uptime and adjacency stability
• Configure SNMP polling to detect IS-IS process restarts promptly

How to Mitigate CVE-2026-20074

Immediate Actions Required

• Review the Cisco Security Advisory for affected versions and fixed software releases
• Implement IS-IS authentication (MD5 or key-chain based) to prevent unauthorized adjacency formation
• Restrict physical and logical access to network segments where IS-IS adjacencies can be formed
• Prioritize patching of Cisco IOS XR devices in critical network infrastructure positions

Patch Information

Cisco has released a security advisory addressing this vulnerability. Administrators should consult the Cisco Security Advisory (cisco-sa-isis-dos-kDMxpSzK) for specific information about affected software versions and available patches. Organizations should prioritize upgrading to a fixed software release as recommended by Cisco.

Workarounds

• Enable IS-IS authentication using isis authentication mode md5 to prevent unauthorized adjacency formation
• Implement access control lists (ACLs) at ingress points to filter traffic from untrusted sources
• Segment the network to limit Layer 2 adjacency possibilities with untrusted devices
• Consider disabling the IS-IS multi-instance routing feature if not required for operations

# Configuration example - Enable IS-IS authentication
router isis CORE
 lsp-password hmac-md5 clear YOUR_PASSWORD level 1
 lsp-password hmac-md5 clear YOUR_PASSWORD level 2
 interface GigabitEthernet0/0/0/0
  hello-password hmac-md5 clear YOUR_PASSWORD level 1
  hello-password hmac-md5 clear YOUR_PASSWORD level 2