1. Home
  2. CVE Database
  3. CVE-2025-20146
HIGH · 8.6

CVE-2025-20146

A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-P...

Vulnerability Description

A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of malformed IPv4 multicast packets that are received on line cards where the interface has either an IPv4 access control list (ACL) or a QoS policy applied. An attacker could exploit this vulnerability by sending crafted IPv4 multicast packets through an affected device. A successful exploit could allow the attacker to cause line card exceptions or a hard reset. Traffic over that line card would be lost while the line card reloads.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
CiscoIos Xr7.9.21
CiscoAsr 9006-
CiscoAsr 9010-
CiscoAsr 9901-
CiscoAsr 9902-
CiscoAsr 9903-
CiscoAsr 9904-
CiscoAsr 9906-
CiscoAsr 9910-
CiscoAsr 9912-
CiscoAsr 9922-

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2025-20146?

CVE-2025-20146 is a vulnerability with a CVSS score of 8.6 (HIGH). A vulnerability in the Layer 3 multicast feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-P...

How severe is CVE-2025-20146?

CVE-2025-20146 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-20146?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios Xr, Cisco Asr 9006, Cisco Asr 9010, Cisco Asr 9901, Cisco Asr 9902.