CVE-2026-20084
Received Received - Intake

DHCP Snooping BOOTP VLAN Leakage Causes DoS on Cisco Switches

Vulnerability report for CVE-2026-20084, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-03-25

Assigner: Cisco Systems, Inc.

Description

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-03-25
Generated
2026-07-06
AI Q&A
2026-03-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cisco ios_xe *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the DHCP snooping feature of Cisco IOS XE Software, specifically on Cisco Catalyst 9000 Series Switches. It allows an unauthenticated, remote attacker to send BOOTP request packets to the device, which causes BOOTP packets to be forwarded improperly between VLANs.

The improper handling of BOOTP packets leads to BOOTP VLAN leakage and can cause high CPU utilization on the affected device.

As a result, the device may become unreachable via console or remote management and unable to forward traffic, causing a denial of service (DoS) condition.

This vulnerability can be exploited using either unicast or broadcast BOOTP packets.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking the configuration related to DHCP snooping, ip helper-address, and native VLAN settings on Cisco Catalyst 9000 Series Switches.

  • Check if IP DHCP snooping is enabled using the command: show running-config | include ip dhcp snooping
  • Verify if an ip helper-address is configured on a Switched Virtual Interface (SVI) using: show running-config | section interface Vlan
  • Determine if a native VLAN is configured on a sub-interface by checking for 'encapsulation dot1q native' in the interface configuration.
Impact Analysis

Exploitation of this vulnerability can cause a denial of service (DoS) condition on affected Cisco Catalyst 9000 Series Switches.

An attacker can cause the device to become unreachable through console or remote management by triggering high CPU utilization.

This results in the device being unable to forward network traffic, potentially disrupting network operations and connectivity.

Mitigation Strategies

There are workarounds that address this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart