CVE-2026-20086

High

Published: 25 March 2026

Published

25 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0015 35.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS)…

condition on an affected device. This vulnerability is due to improper handling of a malformed CAPWAP packet. An attacker could exploit this vulnerability by sending a malformed CAPWAP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the Cisco IOS XE software to fix the improper handling of malformed CAPWAP packets, directly eliminating the vulnerability.

SC-5 Denial-of-service Protection good match

preventdetect

Denial-of-service protection implements mechanisms to detect and mitigate malformed CAPWAP packet floods or anomalies that trigger device reloads.

SI-10 Information Input Validation good match

prevent

Information input validation enforces checks on CAPWAP packets to reject malformed inputs before they reach the vulnerable processing logic.

Security SummaryAI

CVE-2026-20086 is a vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets within Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family. The issue arises from improper handling of malformed CAPWAP packets, which could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-230: Improper Handling of Missing Special Element.

An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted, malformed CAPWAP packet to an affected device. Successful exploitation would cause the device to reload unexpectedly, leading to a DoS condition that disrupts wireless network operations until the device is manually restarted.

The Cisco Security Advisory provides details on mitigation and patch information at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dos-hnX5KGOm. Security practitioners should consult this advisory for software updates and workarounds applicable to the Catalyst CW9800 Family.

Details

CWE(s): CWE-230

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthenticated remote DoS via malformed CAPWAP packets causing device reload, directly facilitating Endpoint Denial of Service: Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dos-hnX5KGOm
psirt@cisco.com