Resource exhaustion in Cisco IOS XE - CVE-2026-20084

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of BOOTP packets in the DHCP snooping feature when processing BOOTP requests. A remote attacker can send a specially crafted BOOTP request packet to forward BOOTP packets between VLANs, resulting in high CPU utilization and a denial of service condition.

The affected device becomes unreachable through console or remote management and is unable to forward traffic. This vulnerability can be exploited with either unicast or broadcast BOOTP packets and requires specific configuration conditions: IP DHCP snooping enabled, ip helper-address configured on an SVI, the next hop being a sub-interface, and one of the sub-interfaces having the native VLAN configured.

How to mitigate CVE-2026-20084

Sources

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq07617