CVE-2026-20084 - Vulnerability Details

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition.

This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition.

Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets.

There are workarounds that address this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco IOS XE Software

affected

Version	Status	Constraints
`16.6.1`	affected	—
`16.6.2`	affected	—
`16.6.3`	affected	—
`16.6.4`	affected	—
`16.6.5`	affected	—
`16.6.4a`	affected	—
`16.6.6`	affected	—
`16.6.7`	affected	—
`16.6.8`	affected	—
`16.6.9`	affected	—
`16.6.10`	affected	—
`16.7.1`	affected	—
`16.8.1`	affected	—
`16.8.1a`	affected	—
`16.8.1s`	affected	—
`16.9.1`	affected	—
`16.9.2`	affected	—
`16.9.1s`	affected	—
`16.9.3`	affected	—
`16.9.4`	affected	—
`16.9.5`	affected	—
`16.9.6`	affected	—
`16.9.7`	affected	—
`16.9.8`	affected	—
`16.10.1`	affected	—
`16.10.1s`	affected	—
`16.10.1e`	affected	—
`16.11.1`	affected	—
`16.11.1b`	affected	—
`16.11.1s`	affected	—
`16.12.1`	affected	—
`16.12.1s`	affected	—
`16.12.1c`	affected	—
`16.12.2`	affected	—
`16.12.3`	affected	—
`16.12.8`	affected	—
`16.12.2s`	affected	—
`16.12.4`	affected	—
`16.12.3s`	affected	—
`16.12.3a`	affected	—
`16.12.4a`	affected	—
`16.12.5`	affected	—
`16.12.6`	affected	—
`16.12.5b`	affected	—
`16.12.6a`	affected	—
`16.12.7`	affected	—
`17.1.1`	affected	—
`17.1.1s`	affected	—
`17.1.1t`	affected	—
`17.1.3`	affected	—
`17.2.1`	affected	—
`17.2.1a`	affected	—
`17.3.1`	affected	—
`17.3.2`	affected	—
`17.3.3`	affected	—
`17.3.2a`	affected	—
`17.3.4`	affected	—
`17.3.5`	affected	—
`17.3.6`	affected	—
`17.3.7`	affected	—
`17.3.8`	affected	—
`17.3.8a`	affected	—
`17.4.1`	affected	—
`17.5.1`	affected	—
`17.6.1`	affected	—
`17.6.2`	affected	—
`17.6.3`	affected	—
`17.6.1y`	affected	—
`17.6.4`	affected	—
`17.6.5`	affected	—
`17.6.6`	affected	—
`17.6.6a`	affected	—
`17.6.5a`	affected	—
`17.6.7`	affected	—
`17.6.8`	affected	—
`17.7.1`	affected	—
`17.10.1`	affected	—
`17.10.1b`	affected	—
`17.8.1`	affected	—
`17.9.1`	affected	—
`17.9.2`	affected	—
`17.9.3`	affected	—
`17.9.4`	affected	—
`17.9.5`	affected	—
`17.9.4a`	affected	—
`17.9.6`	affected	—
`17.9.6a`	affected	—
`17.9.7`	affected	—
`17.9.8`	affected	—
`17.11.1`	affected	—
`17.12.1`	affected	—
`17.12.2`	affected	—
`17.12.3`	affected	—
`17.12.4`	affected	—
`17.12.5`	affected	—
`17.12.1z5`	affected	—
`17.13.1`	affected	—
`17.14.1`	affected	—
`17.15.1`	affected	—
`17.15.2`	affected	—
`17.15.3`	affected	—
`17.15.2b`	affected	—
`17.15.4`	affected	—
`17.15.4d`	affected	—
`17.16.1`	affected	—
`17.17.1`	affected	—
`17.18.1`	affected	—

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA

History

Wed, 25 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.
Weaknesses		CWE-400
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-25T16:02:39.119Z

Updated: 2026-03-25T16:02:39.119Z

Reserved: 2025-10-08T11:59:15.366Z

Link: CVE-2026-20084

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T16:16:13.563

Modified: 2026-03-25T16:16:13.563

Link: CVE-2026-20084

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-400

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object