CVE-2024-20308

Name: CVE-2024-20308
Creator: NVD / NIST
Published: 2024-03-27T18:15:09.853+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.80%

Last modified Jun 17, 2026

CVE-2024-20308 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A vulnerability in the IKEv1 fragmentation code of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a heap underflow, resulting in an affected device reloading. This vulnerability exists because crafted, fragmented IKEv1 packets are not properly reassembled. An attacker could exploit this vulnerability by sending crafted UDP packets to an affected system. EPSS estimates a 0.80% chance of exploitation in the next 30 days.

Description

A vulnerability in the IKEv1 fragmentation code of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a heap underflow, resulting in an affected device reloading. This vulnerability exists because crafted, fragmented IKEv1 packets are not properly reassembled. An attacker could exploit this vulnerability by sending crafted UDP packets to an affected system. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: Only traffic that is directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered by IPv4 and IPv6 traffic..

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.80%

52.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-787

Affected Software

Vendor	Product	Versions
Cisco	Ios	12.4\(22\)md
Cisco	Ios	12.4\(22\)md1
Cisco	Ios	12.4\(22\)md2
Cisco	Ios	12.4\(22\)mda
Cisco	Ios	12.4\(22\)mda1
Cisco	Ios	12.4\(22\)mda2
Cisco	Ios	12.4\(22\)mda3
Cisco	Ios	12.4\(22\)mda4
Cisco	Ios	12.4\(22\)mda5
Cisco	Ios	12.4\(22\)mda6
Cisco	Ios	12.4\(22\)t
Cisco	Ios	12.4\(22\)t1
Cisco	Ios	12.4\(22\)t2
Cisco	Ios	12.4\(22\)t3
Cisco	Ios	12.4\(22\)t4
Cisco	Ios	12.4\(22\)t5
Cisco	Ios	12.4\(22\)xr1
Cisco	Ios	12.4\(22\)xr2
Cisco	Ios	12.4\(22\)xr3
Cisco	Ios	12.4\(22\)xr4
Cisco	Ios	12.4\(22\)xr5
Cisco	Ios	12.4\(22\)xr6
Cisco	Ios	12.4\(22\)xr7
Cisco	Ios	12.4\(22\)xr8
Cisco	Ios	12.4\(22\)xr9
Cisco	Ios	12.4\(22\)xr10
Cisco	Ios	12.4\(22\)xr11
Cisco	Ios	12.4\(22\)xr12
Cisco	Ios	12.4\(24\)md
Cisco	Ios	12.4\(24\)md1
Cisco	Ios	12.4\(24\)md2
Cisco	Ios	12.4\(24\)md3
Cisco	Ios	12.4\(24\)md4
Cisco	Ios	12.4\(24\)md5
Cisco	Ios	12.4\(24\)md6
Cisco	Ios	12.4\(24\)md7
Cisco	Ios	12.4\(24\)mda1
Cisco	Ios	12.4\(24\)mda2
Cisco	Ios	12.4\(24\)mda3
Cisco	Ios	12.4\(24\)mda4
Cisco	Ios	12.4\(24\)mda5
Cisco	Ios	12.4\(24\)mda6
Cisco	Ios	12.4\(24\)mda7
Cisco	Ios	12.4\(24\)mda8
Cisco	Ios	12.4\(24\)mda9
Cisco	Ios	12.4\(24\)mda10
Cisco	Ios	12.4\(24\)mda11
Cisco	Ios	12.4\(24\)mda12
Cisco	Ios	12.4\(24\)mda13
Cisco	Ios	12.4\(24\)mdb

Showing 50 of 1012 affected configurations. See NVD for the full list.

References

Timeline

Published: Mar 27, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-20308?

How severe is CVE-2024-20308?

CVE-2024-20308 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.80% probability of exploitation in the next 30 days.

How do I fix CVE-2024-20308?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-20308?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST