Cisco Vulnerability (CVE-2026-20084)

Vendor-confirmed - CVE-2026-20084 is a high-severity denial-of-service vulnerability in Cisco IOS XE DHCP snooping on Catalyst 9000 Series Switches that lets unauthenticated attackers crash the device by sending specially crafted BOOTP packets, causing 100% CPU utilization. Immediately upgrade to a fixed IOS XE release per Cisco’s advisory.

Overview

A significant security vulnerability, identified as CVE-2026-20084, has been discovered in the DHCP snooping feature of Cisco IOS XE Software. This flaw affects specific Cisco Catalyst 9000 Series Switches and poses a high risk to network stability.

Vulnerability Explained

In simple terms, this vulnerability is a failure in a security feature designed to control DHCP (Dynamic Host Configuration Protocol) traffic. The “DHCP snooping” function on affected switches incorrectly handles older BOOTP request packets-a protocol similar to DHCP. Due to this improper handling, an attacker can send specially crafted BOOTP packets to a vulnerable switch. The switch will then mistakenly forward these packets from one network segment (VLAN) to another, a failure known as “VLAN leakage.”

Potential Impact

The primary impact is a severe Denial of Service (DoS) condition. The leakage of BOOTP packets can trigger abnormally high CPU utilization on the switch. When this happens, the switch becomes unreachable for management (both via console and remote access) and stops forwarding regular network traffic. This effectively takes the device offline, disrupting all network services that depend on it. An attacker can exploit this without any authentication and can use either targeted (unicast) or broadcast packets.

Remediation and Mitigation Advice

Cisco has confirmed that software updates are available to address this vulnerability. The most critical action is to upgrade to a fixed release of Cisco IOS XE Software. Network administrators should consult the official Cisco security advisory for the specific patched versions.

If immediate patching is not possible, implement the following workaround: Disable the processing of BOOTP packets on all user-facing or untrusted switch interfaces. This can be accomplished using the no ip bootp server interface configuration command. This mitigation prevents the exploitation of the vulnerability while a permanent patch is scheduled.

Action Steps:

1. Identify: Inventory your network for affected Cisco Catalyst 9000 Series Switches running Cisco IOS XE Software.
2. Prioritize: Schedule updates for exposed devices first, particularly those at network edges.
3. Mitigate: Apply the no ip bootp server workaround on interim devices.
4. Update: Plan and execute upgrades to a patched software version during a maintenance window.

This incident underscores the importance of timely patch management for network infrastructure. For context on the active threat landscape targeting Cisco devices, you can read about recent incidents: CISA Warns of Active SharePoint, Zimbra Flaw Exploits; Cisco Zero-Day in Ransomware Attacks and Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access. For an example of proactive patching, see Apple Patches WebKit Same-Origin Policy Bypass in New Background Updates.