CVE-2025-20142

CVE-2025-20142 is a denial-of-service vulnerability in the IPv4 access control list (ACL) feature and quality of service (QoS) policy feature of Cisco IOS XR Software running on Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers. The issue stems from improper handling of malformed IPv4 packets received on line cards where an interface has an IPv4 ACL or QoS policy applied. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation).

An unauthenticated, remote attacker can exploit this vulnerability by sending crafted IPv4 packets through an affected device. A successful exploit triggers network processor errors, leading to a reset or shutdown of the network process on the targeted line card and a temporary loss of traffic over that line card during reload. The vulnerability has been predominantly observed in Layer 2 VPN (L2VPN) environments with an IPv4 ACL or QoS policy applied to the bridge virtual interface, though Layer 3 configurations with similar interface policies are also vulnerable despite lacking observed exploitation.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4uni-LfM3cfBu provides details on affected versions, workarounds, and fixed releases for mitigation. Security practitioners should consult this advisory for software upgrade guidance and configuration recommendations to address the issue.