CVE-2026-20051 is a vulnerability identified in the Ethernet VPN (EVPN) Layer 2 ingress packet processing of Cisco NX-OS software running on Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500-R Series Switching Platforms. The root cause is a logic error triggered by processing specially crafted Layer 2 ingress Ethernet frames. An unauthenticated attacker with Layer 2 adjacency can exploit this flaw by sending a stream of malicious Ethernet frames to the targeted device. This causes the device to enter a Layer 2 Virtual eXtensible LAN (VxLAN) traffic loop, which oversubscribes the bandwidth on network interfaces. The resulting traffic loop leads to a denial of service (DoS) condition by dropping all data plane traffic, effectively disrupting network communications. The vulnerability affects a wide range of NX-OS versions from 9.2(1) through 10.6(1s) and related builds. Exploitation does not require authentication or user interaction but does require physical or logical Layer 2 adjacency to the vulnerable device. Recovery from an active exploit requires manual intervention to stop the crafted traffic and flap the affected interfaces. Cisco recommends contacting their Technical Assistance Center (TAC) for support if a related Layer 2 loop is suspected. No public exploits or active exploitation have been reported to date. The CVSS v3.1 base score is 7.4, reflecting high severity due to the potential for network-wide denial of service and the complexity of the attack vector.

The primary impact of CVE-2026-20051 is a denial of service condition on critical network infrastructure devices, specifically Cisco Nexus 3600 and 9500-R series switches. By triggering a Layer 2 VxLAN traffic loop, an attacker can cause oversubscription of bandwidth on network interfaces, resulting in dropped data plane traffic and network outages. This can severely disrupt enterprise and data center network operations, impacting availability of services dependent on these switches. The vulnerability affects a broad range of NX-OS versions, increasing the scope of potentially impacted devices globally. Organizations relying on these Cisco platforms for core switching and EVPN services face risks of network instability, degraded performance, and potential downtime. Since exploitation requires Layer 2 adjacency, attackers with access to the local network segment or compromised devices within the same broadcast domain pose a significant threat. The lack of authentication requirement lowers the barrier for exploitation once adjacency is achieved. Although no known exploits are reported, the potential for widespread network disruption makes this vulnerability a critical concern for network administrators and security teams.

To mitigate CVE-2026-20051, organizations should first identify all Cisco Nexus 3600 and 9500-R series switches running affected NX-OS versions. Immediate steps include: 1) Applying Cisco-released patches or software updates that address this vulnerability as soon as they become available; 2) Implementing strict network segmentation and access controls to limit Layer 2 adjacency to trusted devices only, reducing the attack surface; 3) Monitoring network traffic for signs of abnormal Layer 2 loops or unusual VxLAN traffic patterns using advanced network monitoring and anomaly detection tools; 4) Preparing incident response procedures to quickly flap affected interfaces and stop malicious traffic if a loop is detected; 5) Engaging Cisco Technical Assistance Center (TAC) for guidance and support in case of suspected exploitation; 6) Reviewing and hardening EVPN and VxLAN configurations to ensure they follow best practices and minimize exposure; 7) Employing network access control (NAC) solutions to prevent unauthorized devices from connecting at Layer 2; 8) Conducting regular network audits to identify and remediate misconfigurations that could facilitate exploitation. These targeted measures go beyond generic advice by focusing on limiting adjacency, proactive detection, and rapid response to traffic loops.