Medium6.8Cisco Updated
Cisco Nexus 3000 and 9000 Series Switches Border Gateway Protocol Denial of Service Vulnerability
cisco-sa-bgp-iefab-3hb2pwtx Published May 20, 2026Updated by vendor May 20, 2026
CVE-2026-20171
Affected products & platforms
CiscoSwitchesNexusNX-OSNexus 3000
Summary
A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition.
Affected versions
- Scope: At the time of publication, this vulnerability affected Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode if they had the BGP routing protocol configured.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
Temporary workarounds
- There are two workarounds that address this vulnerability. If an affected device does not need to use the ATTR_SET attribute to carry customer edge (CE) attributes across the ISP network, RFC 6368 states that it is an optional attribute that can be discarded.
- To discard the attribute and add or update the prefixes that are contained in the update to the routing table, add the path-attribute discard 128 in configuration command under the neighbor configuration that is sending it, as shown in the following example:
- router bgp 64550
- neighbor 10.0.0.2
- path-attribute discard 128 in
- Alternatively, to discard the attribute and remove the prefixes that are contained in the update from the routing table, add the path-attribute treat-as-withdraw 128 in configuration command under the neighbor configuration that is sending it, as shown in the following example:
- router bgp 64550
- neighbor 10.0.0.2
- path-attribute treat-as-withdraw 128 in
- There is also a mitigation. To disable the enforce-first-as global BGP feature on the provider edge (PE) that is receiving the ATTR_SET attribute, configure the no enforce-first-as command, as shown in the following example. This will disable first Autonomous System Number (ASN) checking.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.