CVE-2026-20074 Overview
A vulnerability exists in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software that could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly. This vulnerability stems from insufficient input validation of ingress IS-IS packets, enabling an attacker who has established an adjacency with an affected device to send crafted IS-IS packets that trigger a denial of service condition.
Critical Impact
Successful exploitation allows an adjacent attacker to cause the IS-IS routing process to restart, resulting in temporary loss of connectivity to advertised networks and a denial of service (DoS) condition affecting network routing stability.
Affected Products
- Cisco IOS XR Software with IS-IS multi-instance routing feature enabled
- Network devices running vulnerable versions of Cisco IOS XR
- Routing infrastructure utilizing IS-IS protocol adjacencies
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-20074 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-20074
Vulnerability Analysis
This vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input), indicating a fundamental flaw in how the IS-IS process handles incoming protocol packets. The IS-IS protocol operates at Layer 2 of the OSI model, functioning as a link-state routing protocol used primarily in service provider and enterprise backbone networks to exchange routing information.
The vulnerability requires the attacker to be Layer 2-adjacent to the target device, meaning they must have direct network connectivity at the data link layer. Additionally, the attacker must first establish an IS-IS adjacency with the target device before exploitation is possible. Once these conditions are met, specially crafted IS-IS packets can trigger unexpected process restarts, disrupting the routing table and causing network instability.
Root Cause
The root cause lies in insufficient input validation of ingress IS-IS packets within the Cisco IOS XR Software. When the IS-IS multi-instance routing feature processes incoming packets from adjacent neighbors, certain malformed or crafted packet contents are not properly validated before processing. This allows an attacker who has formed a valid IS-IS adjacency to inject packets that cause the IS-IS process to enter an unexpected state and restart.
Attack Vector
The attack requires the adversary to be positioned on an adjacent network segment (Layer 2 adjacent) to the target Cisco IOS XR device. The attacker must first successfully form an IS-IS adjacency with the affected device, which requires knowledge of the IS-IS domain configuration and potentially authentication credentials if IS-IS authentication is enabled.
Once adjacency is established, the attacker can send specially crafted IS-IS Link State Protocol Data Units (LSPs) or other IS-IS packet types that exploit the input validation weakness. The crafted packets cause the IS-IS process to restart, temporarily removing the device's routes from the network topology and causing traffic disruption until the process recovers and adjacencies are re-established.
Detection Methods for CVE-2026-20074
Indicators of Compromise
- Unexpected IS-IS process restarts logged in system messages on Cisco IOS XR devices
- Repeated IS-IS adjacency flaps with specific neighboring devices
- Abnormal or malformed IS-IS packets observed in network captures
- Syslog entries indicating IS-IS process crashes or core dumps
Detection Strategies
- Monitor IS-IS process stability through Cisco IOS XR system logging and SNMP traps
- Implement packet capture at Layer 2 boundaries to identify anomalous IS-IS traffic patterns
- Configure alerting for repeated IS-IS adjacency state changes in network management systems
- Review IS-IS neighbor tables for unexpected or unauthorized adjacencies
Monitoring Recommendations
- Enable detailed IS-IS process logging on all affected Cisco IOS XR devices
- Deploy network monitoring solutions that track IS-IS topology changes and convergence events
- Establish baseline metrics for IS-IS process uptime and adjacency stability
- Configure SNMP polling to detect IS-IS process restarts promptly
How to Mitigate CVE-2026-20074
Immediate Actions Required
- Review the Cisco Security Advisory for affected versions and fixed software releases
- Implement IS-IS authentication (MD5 or key-chain based) to prevent unauthorized adjacency formation
- Restrict physical and logical access to network segments where IS-IS adjacencies can be formed
- Prioritize patching of Cisco IOS XR devices in critical network infrastructure positions
Patch Information
Cisco has released a security advisory addressing this vulnerability. Administrators should consult the Cisco Security Advisory (cisco-sa-isis-dos-kDMxpSzK) for specific information about affected software versions and available patches. Organizations should prioritize upgrading to a fixed software release as recommended by Cisco.
Workarounds
- Enable IS-IS authentication using isis authentication mode md5 to prevent unauthorized adjacency formation
- Implement access control lists (ACLs) at ingress points to filter traffic from untrusted sources
- Segment the network to limit Layer 2 adjacency possibilities with untrusted devices
- Consider disabling the IS-IS multi-instance routing feature if not required for operations
# Configuration example - Enable IS-IS authentication
router isis CORE
lsp-password hmac-md5 clear YOUR_PASSWORD level 1
lsp-password hmac-md5 clear YOUR_PASSWORD level 2
interface GigabitEthernet0/0/0/0
hello-password hmac-md5 clear YOUR_PASSWORD level 1
hello-password hmac-md5 clear YOUR_PASSWORD level 2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
