{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20084", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.366Z", "datePublished": "2026-03-25T16:02:39.119Z", "dateUpdated": "2026-03-25T16:02:39.119Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-25T16:02:39.119Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. \r\n\r This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. \r\n\r Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets.\r\n\r There are workarounds that address this vulnerability."}], "affected": [{"vendor": "Cisco", "product": "Cisco IOS XE Software", "versions": [{"version": "16.6.1", "status": "affected"}, {"version": "16.6.2", "status": "affected"}, {"version": "16.6.3", "status": "affected"}, {"version": "16.6.4", "status": "affected"}, {"version": "16.6.5", "status": "affected"}, {"version": "16.6.4a", "status": "affected"}, {"version": "16.6.6", "status": "affected"}, {"version": "16.6.7", "status": "affected"}, {"version": "16.6.8", "status": "affected"}, {"version": "16.6.9", "status": "affected"}, {"version": "16.6.10", "status": "affected"}, {"version": "16.7.1", "status": "affected"}, {"version": "16.8.1", "status": "affected"}, {"version": "16.8.1a", "status": "affected"}, {"version": "16.8.1s", "status": "affected"}, {"version": "16.9.1", "status": "affected"}, {"version": "16.9.2", "status": "affected"}, {"version": "16.9.1s", "status": "affected"}, {"version": "16.9.3", "status": "affected"}, {"version": "16.9.4", "status": "affected"}, {"version": "16.9.5", "status": "affected"}, {"version": "16.9.6", "status": "affected"}, {"version": "16.9.7", "status": "affected"}, {"version": "16.9.8", "status": "affected"}, {"version": "16.10.1", "status": "affected"}, {"version": "16.10.1s", "status": "affected"}, {"version": "16.10.1e", "status": "affected"}, {"version": "16.11.1", "status": "affected"}, {"version": "16.11.1b", "status": "affected"}, {"version": "16.11.1s", "status": "affected"}, {"version": "16.12.1", "status": "affected"}, {"version": "16.12.1s", "status": "affected"}, {"version": "16.12.1c", "status": "affected"}, {"version": "16.12.2", "status": "affected"}, {"version": "16.12.3", "status": "affected"}, {"version": "16.12.8", "status": "affected"}, {"version": "16.12.2s", "status": "affected"}, {"version": "16.12.4", "status": "affected"}, {"version": "16.12.3s", "status": "affected"}, {"version": "16.12.3a", "status": "affected"}, {"version": "16.12.4a", "status": "affected"}, {"version": "16.12.5", "status": "affected"}, {"version": "16.12.6", "status": "affected"}, {"version": "16.12.5b", "status": "affected"}, {"version": "16.12.6a", "status": "affected"}, {"version": "16.12.7", "status": "affected"}, {"version": "17.1.1", "status": "affected"}, {"version": "17.1.1s", "status": "affected"}, {"version": "17.1.1t", "status": "affected"}, {"version": "17.1.3", "status": "affected"}, {"version": "17.2.1", "status": "affected"}, {"version": "17.2.1a", "status": "affected"}, {"version": "17.3.1", "status": "affected"}, {"version": "17.3.2", "status": "affected"}, {"version": "17.3.3", "status": "affected"}, {"version": "17.3.2a", "status": "affected"}, {"version": "17.3.4", "status": "affected"}, {"version": "17.3.5", "status": "affected"}, {"version": "17.3.6", "status": "affected"}, {"version": "17.3.7", "status": "affected"}, {"version": "17.3.8", "status": "affected"}, {"version": "17.3.8a", "status": "affected"}, {"version": "17.4.1", "status": "affected"}, {"version": "17.5.1", "status": "affected"}, {"version": "17.6.1", "status": "affected"}, {"version": "17.6.2", "status": "affected"}, {"version": "17.6.3", "status": "affected"}, {"version": "17.6.1y", "status": "affected"}, {"version": "17.6.4", "status": "affected"}, {"version": "17.6.5", "status": "affected"}, {"version": "17.6.6", "status": "affected"}, {"version": "17.6.6a", "status": "affected"}, {"version": "17.6.5a", "status": "affected"}, {"version": "17.6.7", "status": "affected"}, {"version": "17.6.8", "status": "affected"}, {"version": "17.7.1", "status": "affected"}, {"version": "17.10.1", "status": "affected"}, {"version": "17.10.1b", "status": "affected"}, {"version": "17.8.1", "status": "affected"}, {"version": "17.9.1", "status": "affected"}, {"version": "17.9.2", "status": "affected"}, {"version": "17.9.3", "status": "affected"}, {"version": "17.9.4", "status": "affected"}, {"version": "17.9.5", "status": "affected"}, {"version": "17.9.4a", "status": "affected"}, {"version": "17.9.6", "status": "affected"}, {"version": "17.9.6a", "status": "affected"}, {"version": "17.9.7", "status": "affected"}, {"version": "17.9.8", "status": "affected"}, {"version": "17.11.1", "status": "affected"}, {"version": "17.12.1", "status": "affected"}, {"version": "17.12.2", "status": "affected"}, {"version": "17.12.3", "status": "affected"}, {"version": "17.12.4", "status": "affected"}, {"version": "17.12.5", "status": "affected"}, {"version": "17.12.1z5", "status": "affected"}, {"version": "17.13.1", "status": "affected"}, {"version": "17.14.1", "status": "affected"}, {"version": "17.15.1", "status": "affected"}, {"version": "17.15.2", "status": "affected"}, {"version": "17.15.3", "status": "affected"}, {"version": "17.15.2b", "status": "affected"}, {"version": "17.15.4", "status": "affected"}, {"version": "17.15.4d", "status": "affected"}, {"version": "17.16.1", "status": "affected"}, {"version": "17.17.1", "status": "affected"}, {"version": "17.18.1", "status": "affected"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Uncontrolled Resource Consumption", "type": "cwe", "cweId": "CWE-400"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA", "name": "cisco-sa-bootp-WuBhNBxA"}], "metrics": [{"format": "cvssV3_1", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "source": {"advisory": "cisco-sa-bootp-WuBhNBxA", "discovery": "EXTERNAL", "defects": ["CSCwq07617"]}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. \r\n\r This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. \r\n\r Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets.\r\n\r There are workarounds that address this vulnerability."}], "id": "CVE-2026-20084", "lastModified": "2026-03-25T16:16:13.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "psirt@cisco.com", "type": "Primary"}]}, "published": "2026-03-25T16:16:13.563", "references": [{"source": "psirt@cisco.com", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "psirt@cisco.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:35:33.074754+00:00", "value": {"mitigation_remediation": ["Check Cisco for a firmware or software update that addresses the DHCP snooping flaw and apply it as soon as possible", "If no patch is available, disable the DHCP snooping feature or restrict BOOTP packet forwarding between VLANs to prevent leakage", "Apply network segmentation to limit the reach of any BOOTP packets and monitor CPU usage to detect potential DoS attacks"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via BOOTP VLAN leakage"}, "threat_synthesis": {"affected_systems": "Affected devices include Cisco Catalyst 9000 Series Switches running Cisco IOS XE Software; specific model and version ranges are not listed in the advisory.", "description_and_impact": "The vulnerability lies in the DHCP snooping feature of Cisco IOS XE Software, where BOOTP packets are incorrectly routed between VLANs. This allows remote attackers to send BOOTP requests that cause packet leakage across VLAN boundaries, leading to excessive CPU usage and rendering the device unreachable through console or management interfaces. The weakness is a resource exhaustion flaw.", "risk_and_exploitability": "The CVSS base score of 8.6 denotes a high impact. Exploitation requires an attacker with network access to send unicast or broadcast BOOTP packets, a scenario easily achievable in a LAN environment. Given the lack of an EPSS score and the absence in the KEV catalog, the vulnerability remains high risk without an available patch, necessitating immediate defensive actions."}}}}, "created": "2026-03-25T21:30:58.236586+00:00", "title": "Bootp VLAN Leakage in Cisco IOS XE DHCP Snooping Leading to Denial of Service", "updated": "2026-03-25T21:30:58.236614+00:00", "vendors": []}