CVE-2024-20312
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/03/2024
Last modified:
26/08/2025
Description
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) protocol of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.<br />
<br />
This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition.<br />
<br />
Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and have formed an adjacency.
Impact
Base Score 3.x
7.40
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:ios:15.0\(1\)ex:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy2:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy3:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy4:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy5:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(1\)sy6:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg2:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg3:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg4:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg5:*:*:*:*:*:*:* | ||
| cpe:2.3:o:cisco:ios:15.1\(2\)sg6:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page