Summaryinfo

A vulnerability marked as problematic has been reported in Cisco IOS XE. This impacts an unknown function of the component DHCP Snooping. Performing a manipulation results in resource consumption. This vulnerability is known as CVE-2026-20084. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Cisco IOS XE. It has been classified as critical. This affects an unknown code of the component DHCP Snooping. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability. The summary by CVE is:

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.

It is possible to read the advisory at sec.cloudapps.cisco.com. This vulnerability is uniquely identified as CVE-2026-20084 since 10/08/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/31/2026). The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-15431). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Router Operating System

Vendor

• Cisco

Name

• IOS XE

Version

• 16.6.1
• 16.6.2
• 16.6.3
• 16.6.4
• 16.6.4a
• 16.6.5
• 16.6.6
• 16.6.7
• 16.6.8
• 16.6.9
• 16.6.10
• 16.7.1
• 16.8.1
• 16.8.1a
• 16.8.1s
• 16.9.1
• 16.9.1s
• 16.9.2
• 16.9.3
• 16.9.4
• 16.9.5
• 16.9.6
• 16.9.7
• 16.9.8
• 16.10.1
• 16.10.1e
• 16.10.1s
• 16.11.1
• 16.11.1b
• 16.11.1s
• 16.12.1
• 16.12.1c
• 16.12.1s
• 16.12.2
• 16.12.2s
• 16.12.3
• 16.12.3a
• 16.12.3s
• 16.12.4
• 16.12.4a
• 16.12.5
• 16.12.5b
• 16.12.6
• 16.12.6a
• 16.12.7
• 16.12.8
• 17.1.1
• 17.1.1s
• 17.1.1t
• 17.1.3
• 17.2.1
• 17.2.1a
• 17.3.1
• 17.3.2
• 17.3.2a
• 17.3.3
• 17.3.4
• 17.3.5
• 17.3.6
• 17.3.7
• 17.3.8
• 17.3.8a
• 17.4.1
• 17.5.1
• 17.6.1
• 17.6.1y
• 17.6.2
• 17.6.3
• 17.6.4
• 17.6.5
• 17.6.5a
• 17.6.6
• 17.6.6a
• 17.6.7
• 17.6.8
• 17.7.1
• 17.8.1
• 17.9.1
• 17.9.2
• 17.9.3
• 17.9.4
• 17.9.4a
• 17.9.5
• 17.9.6
• 17.9.6a
• 17.9.7
• 17.9.8
• 17.10.1
• 17.10.1b
• 17.11.1
• 17.12.1
• 17.12.1z5
• 17.12.2
• 17.12.3
• 17.12.4
• 17.12.5
• 17.13.1
• 17.14.1
• 17.15.1
• 17.15.2
• 17.15.2b
• 17.15.3
• 17.15.4
• 17.15.4d
• 17.16.1
• 17.17.1
• 17.18.1

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion