Description
A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition.

This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition.

Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets.

There are workarounds that address this vulnerability.
Published: 2026-03-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via BOOTP VLAN leakage
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the DHCP snooping feature of Cisco IOS XE Software, where BOOTP packets are incorrectly routed between VLANs. This allows remote attackers to send BOOTP requests that cause packet leakage across VLAN boundaries, leading to excessive CPU usage and rendering the device unreachable through console or management interfaces. The weakness is a resource exhaustion flaw.

Affected Systems

Affected devices include Cisco Catalyst 9000 Series Switches running Cisco IOS XE Software; specific model and version ranges are not listed in the advisory.

Risk and Exploitability

The CVSS base score of 8.6 denotes a high impact. Exploitation requires an attacker with network access to send unicast or broadcast BOOTP packets, a scenario easily achievable in a LAN environment. Given the lack of an EPSS score and the absence in the KEV catalog, the vulnerability remains high risk without an available patch, necessitating immediate defensive actions.

Generated by OpenCVE AI on March 25, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Cisco for a firmware or software update that addresses the DHCP snooping flaw and apply it as soon as possible
  • If no patch is available, disable the DHCP snooping feature or restrict BOOTP packet forwarding between VLANs to prevent leakage
  • Apply network segmentation to limit the reach of any BOOTP packets and monitor CPU usage to detect potential DoS attacks

Generated by OpenCVE AI on March 25, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco ios Xe Software
Vendors & Products Cisco
Cisco ios Xe Software

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Bootp VLAN Leakage in Cisco IOS XE DHCP Snooping Leading to Denial of Service

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Cisco Ios Xe Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-26T17:35:50.008Z

Reserved: 2025-10-08T11:59:15.366Z

Link: CVE-2026-20084

cve-icon Vulnrichment

Updated: 2026-03-26T17:35:45.608Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T16:16:13.563

Modified: 2026-03-26T15:13:33.940

Link: CVE-2026-20084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:42:50Z

Weaknesses