CVE-2026-20051: High Vulnerability in Cisco Nexus 3600 and 9500-R Series Switching Platforms

A vulnerability with the Ethernet VPN (EVPN) Layer 2 ingress packet processing of Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500-R Series Switching Platforms could allow an unauthenticated, adjacent attacker to trigger a Layer 2 traffic loop. This vulnerability is due to a logic error when processing a crafted Layer 2 ingress frame. An attacker could exploit this vulnerability by sending a stream of crafted Ethernet frames through the targeted device. A successful exploit could allow the attacker to cause a Layer 2 Virtual eXtensible LAN (VxLAN) traffic loop, which, in turn, could result in a denial of service (DoS) condition.

This Layer 2 loop could oversubscribe the bandwidth on network interfaces, which would result in all data plane traffic being dropped. To exploit this vulnerability, the attacker must be Layer 2-adjacent to the affected device. To stop active exploitation of this vulnerability, manual intervention is required to both stop the crafted traffic and flap all involved network interfaces. For additional assistance if a Layer 2 loop that is related to this vulnerability is suspected, contact the Cisco Technical Assistance Center (TAC) or the proper support provider.

Risk to organizations includes potential service outages and data loss due to denial of service conditions. Given that this vulnerability has a CVSS score of 7.4, it is classified as high severity, and organizations should address in priority patch cycle.

As of now, there is no public exploit confirmed, and the vulnerability is not actively exploited in the wild. However, organizations must remain vigilant and assess their exposure to this risk.

Vulnerability Details

The vulnerability is classified as a logic error in the Ethernet VPN (EVPN) Layer 2 ingress packet processing components of the affected Cisco Nexus switch platforms. The CVSS score of 7.4 reflects a high severity due to its potential impact on availability, particularly through denial of service.

The affected products include Cisco Nexus 3600 and 9500-R Series Switching Platforms, with the vulnerability being disclosed on February 25, 2026. The corresponding CWE classification is CWE-457.

Technical Analysis

The root cause of this vulnerability is a logic error occurring during the processing of crafted Layer 2 ingress frames. The attack vector is local, requiring the attacker to be adjacent to the target network device. Given the low attack complexity and the requirement of no privileges or user interaction, the exploitability is significant.

Exploitation results in a high impact on availability, as the Layer 2 loop can cause all data plane traffic to be dropped, potentially leading to severe service disruptions.

Risk & Impact Analysis

Organizations deploying Cisco Nexus 3600 and 9500-R Series Switching Platforms should assess their network configurations and traffic patterns to identify potential vulnerabilities to this logic error. The risk is particularly pronounced in environments where Layer 2 adjacency is common, as attackers may exploit this vulnerability to create traffic loops that lead to network outages.

Organizations should prioritize patching immediately to mitigate the risk of denial-of-service attacks stemming from this vulnerability. The potential for a significant blast radius, affecting multiple interconnected systems, underscores the importance of a timely response.

Exploitation Status

Affected Versions

All versions prior to vendor patch are affected. Organizations should review their Cisco Nexus 3600 and 9500-R Series Switching Platforms for any applicable patches and updates.

Mitigation & Remediation

Organizations should prioritize patching immediately to remediate this vulnerability. Ensure that systems are updated with the latest vendor patches to prevent exploitation. If a patch is unavailable, consider implementing configuration hardening measures such as limiting Layer 2 adjacency and monitoring for unusual traffic patterns to mitigate the risk of exploitation.

For further details on effective penetration testing strategies to validate security postures, organizations should refer to resources on penetration testing and enhance their security controls.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor logs for unusual Layer 2 traffic patterns and sudden spikes in bandwidth utilization. Behavioral anomalies indicative of traffic looping should also be investigated promptly.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability is apparent as it highlights the persistent risks associated with Layer 2 network protocols. Organizations must remain vigilant in their security assessments, focusing on potential misconfigurations and the need for robust monitoring practices.

As part of ongoing security improvements, reviewing and enhancing incident response plans can help organizations address similar vulnerabilities in the future. For comprehensive guidance on penetration testing methodologies, organizations can explore penetration testing methodology and develop effective security measures.

Organizations should also regularly audit their security posture to identify vulnerabilities, as discussed in the vulnerability management program design best practices.