CVE-2026-20010
📋 TL;DR
An unauthenticated attacker on the same network segment can send a specially crafted LLDP packet to vulnerable Cisco NX-OS devices, causing the LLDP process to restart and potentially triggering a full device reload. This results in a denial of service (DoS) condition affecting network availability. Only devices with LLDP enabled and attackers with Layer 2 adjacency are affected.
💻 Affected Systems
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 9000 Series Switches in NX-OS mode
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device reload causing extended network outage, potentially cascading to other network services and disrupting business operations.
Likely Case
Temporary service disruption as device reboots, affecting connectivity for connected systems until device recovers.
If Mitigated
Minimal impact if LLDP is disabled or network segmentation prevents attacker access to vulnerable interfaces.
🎯 Exploit Status
Exploitation requires sending a single crafted LLDP packet to a vulnerable interface. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for specific fixed releases
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k_aci_lldp_dos-NdgRrrA3
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions. 2. Download appropriate fixed software from Cisco. 3. Schedule maintenance window. 4. Upgrade to fixed version following Cisco upgrade procedures. 5. Verify upgrade success.
🔧 Temporary Workarounds
Disable LLDP on vulnerable interfaces
allDisables the LLDP protocol on interfaces where it's not required, preventing exploitation.
configure terminal
interface <interface-id>
no lldp transmit
no lldp receive
Implement Layer 2 access controls
allUse port security, MAC address filtering, or 802.1X to restrict which devices can send LLDP packets.
🧯 If You Can't Patch
- Disable LLDP on all interfaces where it's not essential for network operations
- Implement strict network segmentation to limit Layer 2 adjacency to trusted devices only
🔍 How to Verify
Check if Vulnerable:
Check device version with 'show version' and compare against affected versions in Cisco advisoryCheck Version:
show version | include NXOSVerify Fix Applied:
Verify upgraded version with 'show version' and confirm it matches fixed release from advisory📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- LLDP process restart messages
- System crash dumps
Network Indicators:
- Malformed LLDP packets on network
- Sudden loss of connectivity to affected devices
SIEM Query:
search 'device_reload' OR 'lldp' AND 'restart' OR 'crash'