Medium severity6.8NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-20171

Description

A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.

This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A bug in Cisco Nexus switches' BGP enforce-first-as feature allows unauthenticated remote attackers to cause DoS via crafted BGP updates.

Vulnerability

A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition. The root cause is incorrect parsing of a transitive BGP attribute by the affected feature [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it causes the device to drop the BGP session and flap with the BGP peer forwarding the update [1]. No authentication is required, and the attacker only needs network access to a BGP peer.

Impact

Successful exploitation leads to repeated BGP session flaps, degrading network stability and potentially causing a denial of service for traffic relying on BGP routes. The affected device may become unreliable for routing updates [1].

Mitigation

Cisco has released software updates to address this vulnerability. Additionally, workarounds are available, such as disabling the enforce-first-as feature where possible. Users are advised to upgrade to a fixed software release as described in the Cisco Security Advisory [1].

References

Cisco Security Advisory: Cisco Nexus 3000 and 9000 Series Switches Border Gateway Protocol Denial of Service Vulnerability

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Nx Os For Nexus 7700 Series Switchesllm-fuzzy
Cisco Systems, Inc./Nexus 9000 Series Fabric Switches in ACI modellm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgp-iefab-3hb2pwtxnvd

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000