Cyber Resilience

CVE-2026-20084

HighDDoS

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20084 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Cisco IOS XE (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-20084 is a vulnerability in the DHCP snooping feature of Cisco IOS XE Software, specifically affecting Cisco Catalyst 9000 Series Switches. It stems from improper handling of BOOTP packets, which could allow these packets to be forwarded between VLANs. This issue, classified under CWE-400 (Uncontrolled Resource Consumption), carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and was published on March 25, 2026.

An unauthenticated, remote attacker can exploit this vulnerability by sending BOOTP request packets—either unicast or broadcast—to an affected device. Successful exploitation forwards BOOTP packets from one VLAN to another, causing BOOTP VLAN leakage and potentially triggering high CPU utilization. This renders the device unreachable via console or remote management and prevents it from forwarding traffic, resulting in a denial-of-service (DoS) condition.

The Cisco Security Advisory provides workarounds that address this vulnerability, as detailed at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA.

EU & UK References

Vulnerability details

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to…

more

improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated remote exploitation of DHCP snooping mishandles BOOTP packets, causing high CPU, VLAN leakage, and DoS, directly enabling endpoint DoS via application/system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57076Shared CWE-400
CVE-2025-25293Shared CWE-400
CVE-2025-9283Shared CWE-400
CVE-2025-59440Shared CWE-400
CVE-2026-30998Shared CWE-400
CVE-2026-41135Shared CWE-400
CVE-2025-21270Shared CWE-400
CVE-2024-57074Shared CWE-400
CVE-2025-21087Shared CWE-400
CVE-2026-27858Shared CWE-400

Affected Assets

Cisco
IOS XE
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in DHCP snooping's BOOTP packet handling via patches or Cisco-provided workarounds directly prevents VLAN leakage and DoS exploitation.

prevent

Denial-of-service protection mechanisms, such as rate limiting BOOTP packets, directly mitigate high CPU utilization and device unreachability from uncontrolled resource consumption.

prevent

Boundary protection enforces VLAN segmentation and controls unauthorized BOOTP packet forwarding between VLANs via features like ACLs or enhanced snooping.

References