Main Vulnerability Database Vulnerabilities #VU124585

#VU124585 Resource exhaustion in Cisco IOS XE - CVE-2026-20084

Published: March 25, 2026

Vulnerability identifier: #VU124585

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-20084

CWE-ID: CWE-400

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Cisco IOS XE

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of BOOTP packets in the DHCP snooping feature when processing BOOTP requests. A remote attacker can send a specially crafted BOOTP request packet to forward BOOTP packets between VLANs, resulting in high CPU utilization and a denial of service condition.

The affected device becomes unreachable through console or remote management and is unable to forward traffic. This vulnerability can be exploited with either unicast or broadcast BOOTP packets and requires specific configuration conditions: IP DHCP snooping enabled, ip helper-address configured on an SVI, the next hop being a sub-interface, and one of the sub-interfaces having the native VLAN configured.

Remediation

Install security update from vendor's website.

#VU124585 Resource exhaustion in Cisco IOS XE - CVE-2026-20084

Description

Remediation

External links

Please verify you're human