Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-20118

CVE-2026-20118: Cisco IOS XR Software DoS Vulnerability

CVE-2026-20118 is a denial of service vulnerability in Cisco IOS XR Software for NCS 5500/5700 Series that causes NPU failures and traffic disruption. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2026-20118 Overview

CVE-2026-20118 is a denial of service vulnerability in Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series with NC57 line cards, Cisco NCS 5700 Routers, and Cisco IOS XR Software for Third Party Software. The flaw resides in the handling of an Egress Packet Network Interface (EPNI) Aligner interrupt. An unauthenticated, remote attacker can send a continuous flow of crafted packets to an affected interface, causing the network processing unit (NPU) and ASIC to stop processing traffic. Cisco assigned this advisory a Security Impact Rating (SIR) of High based on the criticality of affected network segments.

Critical Impact

Successful exploitation halts NPU and ASIC packet processing, producing persistent, heavy packet loss and a sustained denial of service condition on transit interfaces.

Affected Products

  • Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series with NC57 line cards
  • Cisco NCS 5700 Series Routers running Cisco IOS XR Software
  • Cisco IOS XR Software for Third Party Software on affected NCS platforms

Discovery Timeline

  • 2026-03-11 - CVE-2026-20118 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-20118

Vulnerability Analysis

The vulnerability stems from improper handling of an EPNI Aligner interrupt on the NPU and ASIC pipeline. When an affected device processes heavy transit traffic and an EPNI Aligner interrupt fires, packet corruption occurs within specific code paths. This corruption disrupts the egress packet pipeline rather than recovering gracefully. The result is that the NPU and ASIC stop forwarding traffic across the affected interface. The weakness is categorized under [CWE-460] Improper Cleanup on Thrown Exception, reflecting the unsafe state left behind when the interrupt fires under load. Exploitation requires no authentication and no user interaction, but the conditions needed to trigger the interrupt while traffic load is high raise the attack complexity.

Root Cause

The root cause is the device's failure to safely reconcile state when the EPNI Aligner interrupt is asserted concurrently with high-volume transit traffic. The affected handler does not properly restore packet processing state, leaving the NPU and ASIC in a stalled condition. Traffic queued for egress cannot drain through the affected interface until the device or line card is recovered.

Attack Vector

An unauthenticated attacker reaches the vulnerable code path remotely by sending a continuous flow of crafted packets to an interface on the affected device. The attacker does not require credentials, prior access, or user interaction. Sustained packet flow is required because the issue manifests only when transit load triggers the EPNI Aligner interrupt condition.

No verified public exploit code is available. Refer to the Cisco Security Advisory for vendor technical details on the affected interrupt handling logic.

Detection Methods for CVE-2026-20118

Indicators of Compromise

  • Sudden and persistent packet loss on a specific interface of an NCS 5500 (NC57) or NCS 5700 router with no corresponding configuration change.
  • NPU or ASIC stall messages, EPNI-related interrupt log entries, or traffic drops reported by show controllers npu and related platform diagnostics.
  • Sustained inbound traffic flow targeting a single interface that precedes the interface stall.

Detection Strategies

  • Correlate interface drop counters and NPU statistics against syslog events referencing EPNI, Aligner, or interrupt-handling subsystems.
  • Baseline transit traffic patterns to detect anomalous high-rate flows directed at edge interfaces.
  • Alert on repeated traffic blackholing events that recover only after line card reload, which is consistent with this stall condition.

Monitoring Recommendations

  • Stream IOS XR syslog and platform telemetry into a centralized analytics platform for correlation with NetFlow or IPFIX traffic data.
  • Monitor SNMP and model-driven telemetry counters for sudden zeroing of egress packet rates on affected interfaces.
  • Track contact with the Cisco Technical Assistance Center (TAC) procedures so operators can capture forensic state if active exploitation is suspected.

How to Mitigate CVE-2026-20118

Immediate Actions Required

  • Review the Cisco Security Advisory and identify NCS 5500 with NC57 line cards and NCS 5700 routers running affected Cisco IOS XR releases.
  • Schedule upgrades to the fixed Cisco IOS XR Software releases identified in the advisory.
  • Engage Cisco TAC or a contracted maintenance provider if active exploitation is suspected, as instructed by Cisco.

Patch Information

Cisco has published advisory cisco-sa-xrncs-epni-int-dos-TWMffUsN with fixed software information for affected Cisco IOS XR releases on NCS 5500 (NC57) and NCS 5700 platforms. Operators should apply the fixed release indicated by Cisco for their specific platform and train. No workaround that fully addresses the issue without upgrading is identified in the vendor advisory.

Workarounds

  • Apply edge access control lists (ACLs) and control-plane policing where feasible to rate-limit untrusted traffic toward exposed interfaces.
  • Restrict and segment exposure of vulnerable interfaces to trusted peers, reducing the surface available to unauthenticated remote attackers.
  • Implement upstream Quality of Service (QoS) and DDoS mitigation to dampen sustained crafted-packet floods that could trigger the interrupt condition.
bash
# Example: limit and log high-rate flows toward an edge interface on IOS XR
# Refer to the Cisco advisory for the authoritative fixed release
configure
 class-map match-any RATE-LIMIT-SUSPECT
  match access-group ipv4 SUSPECT-FLOWS
 !
 policy-map EDGE-PROTECT
  class RATE-LIMIT-SUSPECT
   police rate 50 mbps
   set discard-class 1
 !
 interface HundredGigE0/0/0/0
  service-policy input EDGE-PROTECT
commit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.