Cisco IOS XR Software Multi-Instance Intermediate System-to-Intermediate System Denial of Service Vulnerability
Summary
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly. This vulnerability is due to insufficient input validation of ingress IS-IS packets. An attacker could exploit this vulnerability by sending crafted IS-IS packets to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the IS-IS process to restart unexpectedly, resulting in a temporary loss of connectivity to adver…
- Scope: This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS XR Software and have the IS-IS multi-instance routing feature enabled.
- Release 7.7 and earlier (first fixed: Not affected)
- 7.8 — Migrate to a fixed release
- 7.9 — Migrate to a fixed release
- 7.10 — Migrate to a fixed release
- 7.11 — Migrate to a fixed release
- 24.1 — Migrate to a fixed release
- 24.2 — Migrate to a fixed release
- 24.3 — Migrate to a fixed release
- 24.4 — Migrate to a fixed release
- 25.1 — Migrate to a fixed release
- Release 25.2 (first fixed: 25.2.2)
- Release 25.3 (first fixed: 25.3.1)
- Release 25.4 (first fixed: Not affected)
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
- Not affected
- 25.2.2
- 25.3.1
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Mitigation checklist
- Upgrade to the first fixed release for your train per the Fixed Releases table in this advisory.
- Release 7.7 and earlier: upgrade to Not affected.
- Release 7.8: migrate to a fixed release.
- Release 7.9: migrate to a fixed release.
- Release 7.10: migrate to a fixed release.
- Release 7.11: migrate to a fixed release.
- Release 24.1: migrate to a fixed release.
- Release 24.2: migrate to a fixed release.
- Release 24.3: migrate to a fixed release.
- There are no workarounds that address this vulnerability.
- As a mitigation, configure IS-IS area authentication. This would require an attacker to authenticate successfully to the IS-IS area before they are able to form an adjacency and exploit this vulnerability. For more information on configuring IS-IS authentication, see the IS-IS Authentication section of the Routing Configuration Guide for Cisco NCS 5500 Series Routers, IOS XR Release 24.1.x, 24.…
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.