SpirityCVE

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Cisco	Ios Xe Software

No data.

References

Link	Providers
https://www.spirityenterprise.com/digital-risk-protection
https://www.spirityenterprise.com/managed-detection-response
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA

History

Thu, 26 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco ios Xe Software
Vendors & Products		Cisco Cisco ios Xe Software

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		Bootp VLAN Leakage in Cisco IOS XE DHCP Snooping Leading to Denial of Service

Wed, 25 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition. Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. There are workarounds that address this vulnerability.
Weaknesses		CWE-400
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-25T16:02:39.119Z

Updated: 2026-03-26T17:35:50.008Z

Reserved: 2025-10-08T11:59:15.366Z

Link: CVE-2026-20084

Vulnrichment

Updated: 2026-03-26T17:35:45.608Z

NVD

Status : Awaiting Analysis

Published: 2026-03-25T16:16:13.563

Modified: 2026-03-26T15:13:33.940

Link: CVE-2026-20084

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object