CVE-2026-20084 is a vulnerability in the DHCP snooping feature of Cisco IOS XE Software, specifically impacting Cisco Catalyst 9000 Series Switches. The flaw arises from improper handling of BOOTP packets, which are used in network booting and DHCP processes. An unauthenticated remote attacker can exploit this by sending crafted BOOTP request packets to the affected device. This causes BOOTP packets to be forwarded across VLAN boundaries, a behavior not intended by design, resulting in VLAN leakage. The unintended forwarding leads to uncontrolled resource consumption, particularly high CPU utilization, which can overwhelm the switch’s processing capabilities. Consequently, the device becomes unreachable via console or remote management interfaces and stops forwarding network traffic, causing a denial of service. The vulnerability can be exploited using either unicast or broadcast BOOTP packets, increasing the attack surface. The affected Cisco IOS XE versions cover a broad spectrum from 16.6.1 up to 17.18.1, indicating a long-standing issue across multiple releases. The CVSS v3.1 base score is 8.6, reflecting high severity due to network attack vector, no required privileges or user interaction, and complete loss of availability. While no public exploits have been reported yet, the potential for disruption in critical network infrastructure is high. Cisco has indicated the existence of workarounds but has not listed specific patch links in the provided data, implying that organizations should monitor Cisco advisories for updates and apply patches promptly once available.

The primary impact of CVE-2026-20084 is a denial of service condition on Cisco Catalyst 9000 Series Switches running vulnerable IOS XE versions. This can cause critical network infrastructure to become unreachable and unable to forward traffic, severely disrupting enterprise and service provider networks. The VLAN leakage caused by forwarding BOOTP packets across VLANs can also lead to unintended information exposure between network segments, potentially violating network segmentation policies. High CPU utilization induced by the exploit can degrade overall device performance, affecting multiple services relying on the switch. Organizations relying on these switches for core or distribution layer networking may experience outages, impacting business operations, customer services, and potentially causing financial and reputational damage. The vulnerability’s exploitation requires no authentication and no user interaction, making it accessible to remote attackers scanning for vulnerable devices. Given the widespread deployment of Cisco Catalyst 9000 switches in large enterprises, data centers, and service providers worldwide, the scope of impact is extensive. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

To mitigate CVE-2026-20084, organizations should first review and apply any Cisco-recommended workarounds that restrict or filter BOOTP traffic between VLANs to prevent unauthorized forwarding. Network administrators should disable DHCP snooping on interfaces or VLANs where it is not required, minimizing the attack surface. Implementing strict VLAN segmentation and access control lists (ACLs) to block BOOTP packets from untrusted sources can reduce exposure. Monitoring CPU utilization and network traffic patterns on affected switches can help detect anomalous activity indicative of exploitation attempts. Organizations should prioritize upgrading to patched Cisco IOS XE versions once Cisco releases updates addressing this vulnerability. Until patches are available, consider isolating vulnerable switches from untrusted networks or limiting management access to trusted personnel and networks. Regularly auditing network device configurations and applying Cisco security advisories promptly will enhance resilience. Additionally, deploying network intrusion detection systems (NIDS) capable of identifying abnormal BOOTP traffic patterns can provide early warning of exploitation attempts.