CVE-2026-20084
Received Received - Intake
DHCP Snooping BOOTP VLAN Leakage Causes DoS on Cisco Switches

Publication date: 2026-03-25

Last updated on: 2026-03-25

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20084
EUVD
EUVD-2026-15431
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cisco ios_xe *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the DHCP snooping feature of Cisco IOS XE Software, specifically on Cisco Catalyst 9000 Series Switches. It allows an unauthenticated, remote attacker to send BOOTP request packets to the device, which causes BOOTP packets to be forwarded improperly between VLANs.

The improper handling of BOOTP packets leads to BOOTP VLAN leakage and can cause high CPU utilization on the affected device.

As a result, the device may become unreachable via console or remote management and unable to forward traffic, causing a denial of service (DoS) condition.

This vulnerability can be exploited using either unicast or broadcast BOOTP packets.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the configuration related to DHCP snooping, ip helper-address, and native VLAN settings on Cisco Catalyst 9000 Series Switches.

  • Check if IP DHCP snooping is enabled using the command: show running-config | include ip dhcp snooping
  • Verify if an ip helper-address is configured on a Switched Virtual Interface (SVI) using: show running-config | section interface Vlan
  • Determine if a native VLAN is configured on a sub-interface by checking for 'encapsulation dot1q native' in the interface configuration.

How can this vulnerability impact me? :

Exploitation of this vulnerability can cause a denial of service (DoS) condition on affected Cisco Catalyst 9000 Series Switches.

An attacker can cause the device to become unreachable through console or remote management by triggering high CPU utilization.

This results in the device being unable to forward network traffic, potentially disrupting network operations and connectivity.


What immediate steps should I take to mitigate this vulnerability?

There are workarounds that address this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart