CVE-2026-20171: Cisco Nexus BGP DoS Vulnerability

CVE-2026-20171 Overview

CVE-2026-20171 is a denial-of-service vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches running in standalone NX-OS mode. The flaw allows an unauthenticated, remote attacker to trigger BGP peer flaps by sending a crafted BGP update through an established peer session. When the update propagates to an affected device, it drops the BGP session with the upstream peer, producing repeated session resets and routing instability. The weakness is classified as CWE-670: Always-Incorrect Control Flow Implementation.

Critical Impact

A single crafted BGP update propagating across an autonomous system can repeatedly flap peer sessions on Cisco Nexus 3000 and 9000 devices, disrupting routing convergence and availability.

Affected Products

• Cisco Nexus 3000 Series Switches running NX-OS in standalone mode
• Cisco Nexus 9000 Series Switches running NX-OS in standalone mode
• Devices with the BGP enforce-first-as feature engaged in the update path

Discovery Timeline

• 2026-05-20 - CVE-2026-20171 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-20171

Vulnerability Analysis

The vulnerability resides in how NX-OS parses a transitive BGP attribute when the enforce-first-as validation runs against an incoming UPDATE message. Transitive attributes are designed to propagate across autonomous systems even when intermediate routers do not understand them, which expands the blast radius of any parsing defect. An attacker does not need a direct peering relationship with the target. They only need to inject a malformed UPDATE into any BGP session that eventually propagates to a vulnerable Nexus device.

When the affected device evaluates the crafted attribute, the control flow incorrectly concludes the session is non-compliant and tears down the BGP adjacency. The peer re-establishes the session, the update is resent, and the cycle repeats. This produces sustained route flapping, table churn, and traffic black-holing across the impacted topology. Attack complexity is rated high because the attacker must position a crafted update in the propagation path, but no authentication, user interaction, or privileges on the target are required.

Root Cause

The root cause is incorrect parsing of a transitive BGP attribute inside the enforce-first-as enforcement logic. The validator misinterprets a structurally valid but crafted attribute, triggers an error condition, and forces the BGP finite state machine to reset the session. Because the offending attribute is transitive, it survives traversal through unaffected speakers and reaches the vulnerable Nexus device intact.

Attack Vector

Exploitation requires the crafted UPDATE to arrive over an established BGP session. An attacker who controls or compromises any speaker in the propagation path, or who can inject routes through a route server or upstream provider, can deliver the payload. No code execution or data disclosure occurs. The impact is limited to availability through repeated session resets between the affected device and its directly connected BGP peer that forwarded the update.

No verified proof-of-concept code is publicly available for CVE-2026-20171.
See the Cisco Security Advisory referenced below for protocol-level technical details.

Detection Methods for CVE-2026-20171

Indicators of Compromise

• Repeated BGP session resets logged with %BGP-5-ADJCHANGE messages referencing the same peer within short intervals
• NX-OS syslog entries indicating BGP notification messages tied to attribute parsing or enforce-first-as validation failures
• Sudden routing table churn, withdrawn prefixes, and traffic loss correlated with peer flap events
• SNMP bgpBackwardTransition traps firing repeatedly against Nexus 3000 or 9000 devices

Detection Strategies

• Monitor BGP peer uptime and notification codes across NX-OS devices and alert on repeated transitions involving the same neighbor
• Correlate BGP flap events with received UPDATE timestamps to identify a single triggering announcement
• Inspect BGP UPDATE captures on suspect peering links for unusual or malformed transitive attributes

Monitoring Recommendations

• Stream NX-OS syslog and BGP notification telemetry into a centralized analytics platform for cross-device correlation
• Baseline normal peer flap frequency and alert on deviations on Nexus 3000 and 9000 switches
• Enable BGP Monitoring Protocol (BMP) where supported to capture UPDATE message contents for forensic review

How to Mitigate CVE-2026-20171

Immediate Actions Required

• Review the Cisco Security Advisory cisco-sa-bgp-iefab-3hb2pwtx and identify Nexus 3000 and 9000 devices running affected NX-OS releases
• Inventory which BGP peerings have enforce-first-as engaged and prioritize patching devices exposed to external or untrusted autonomous systems
• Apply BGP prefix and attribute filtering at administrative boundaries to constrain untrusted UPDATE propagation

Patch Information

Cisco has published advisory cisco-sa-bgp-iefab-3hb2pwtx for this vulnerability. Administrators should consult the advisory for the fixed NX-OS software trains for Nexus 3000 and Nexus 9000 standalone deployments and schedule upgrades during a maintenance window. No workaround fully eliminates exposure when the device receives transitive attributes from untrusted paths, so patching is the durable fix.

Workarounds

• Disable the BGP enforce-first-as feature on affected sessions if operationally acceptable until the patch is applied
• Implement inbound BGP attribute filters or route maps to drop unexpected transitive attributes from external peers
• Restrict eBGP sessions to authenticated, known peers and validate route advertisements with RPKI where feasible

# Temporary mitigation: disable enforce-first-as on a BGP neighbor (NX-OS)
configure terminal
router bgp <ASN>
  neighbor <peer-ip>
    no enforce-first-as
  exit
end
copy running-config startup-config