CVE-2026-20084

High

Published: 25 March 2026

Published

25 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to…

improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the specific flaw in DHCP snooping's BOOTP packet handling via patches or Cisco-provided workarounds directly prevents VLAN leakage and DoS exploitation.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection mechanisms, such as rate limiting BOOTP packets, directly mitigate high CPU utilization and device unreachability from uncontrolled resource consumption.

SC-7 Boundary Protection good match

prevent

Boundary protection enforces VLAN segmentation and controls unauthorized BOOTP packet forwarding between VLANs via features like ACLs or enhanced snooping.

Security SummaryAI

CVE-2026-20084 is a vulnerability in the DHCP snooping feature of Cisco IOS XE Software, specifically affecting Cisco Catalyst 9000 Series Switches. It stems from improper handling of BOOTP packets, which could allow these packets to be forwarded between VLANs. This issue, classified under CWE-400 (Uncontrolled Resource Consumption), carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and was published on March 25, 2026.

An unauthenticated, remote attacker can exploit this vulnerability by sending BOOTP request packets—either unicast or broadcast—to an affected device. Successful exploitation forwards BOOTP packets from one VLAN to another, causing BOOTP VLAN leakage and potentially triggering high CPU utilization. This renders the device unreachable via console or remote management and prevents it from forwarding traffic, resulting in a denial-of-service (DoS) condition.

The Cisco Security Advisory provides workarounds that address this vulnerability, as detailed at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA.

Details

CWE(s): CWE-400

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of DHCP snooping mishandles BOOTP packets, causing high CPU, VLAN leakage, and DoS, directly enabling endpoint DoS via application/system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA
psirt@cisco.com