CVE-2022-20849 [Medium] | Denial of Service in Ios Xr

A vulnerability in the Broadband Network Gateway PPP over Ethernet (PPPoE) feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the PPPoE process to continually crash. This vulnerability exists because the PPPoE feature does not properly handle an error condition within a specific crafted packet sequence. An attacker could exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled customer premises equipment (CPE). A successful exploit could allow the attacker to cause the PPPoE process to continually restart, resulting in a denial of service condition (DoS).Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the September 2022 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see .

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.06%	0.27%	+0.21%
2	2025-12-24	0.02%	0.06%	+0.04%
3	2025-11-15	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.06%

0.27%

+0.21%

2025-12-24

0.02%

0.06%

+0.04%

2025-11-15

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.1	3.1	MEDIUM	`CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.6	4.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.1

3.1

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.6

4.0

[email protected]

Affected software / configurations for CVE-2022-20849

Vendor	Product	Version	Raw CPE
cisco	ios_xr	6.5.1	cpe:2.3:o:cisco:ios_xr:6.5.1:::::::*
cisco	ios_xr	6.5.2	cpe:2.3:o:cisco:ios_xr:6.5.2:::::::*
cisco	ios_xr	6.5.3	cpe:2.3:o:cisco:ios_xr:6.5.3:::::::*
cisco	ios_xr	6.5.15	cpe:2.3:o:cisco:ios_xr:6.5.15:::::::*
cisco	ios_xr	6.6.1	cpe:2.3:o:cisco:ios_xr:6.6.1:::::::*
cisco	ios_xr	6.6.2	cpe:2.3:o:cisco:ios_xr:6.6.2:::::::*
cisco	ios_xr	6.6.3	cpe:2.3:o:cisco:ios_xr:6.6.3:::::::*
cisco	ios_xr	6.6.4	cpe:2.3:o:cisco:ios_xr:6.6.4:::::::*
cisco	ios_xr	6.6.25	cpe:2.3:o:cisco:ios_xr:6.6.25:::::::*
cisco	ios_xr	6.7.1	cpe:2.3:o:cisco:ios_xr:6.7.1:::::::*
cisco	ios_xr	6.7.2	cpe:2.3:o:cisco:ios_xr:6.7.2:::::::*
cisco	ios_xr	6.7.3	cpe:2.3:o:cisco:ios_xr:6.7.3:::::::*
cisco	ios_xr	6.7.35	cpe:2.3:o:cisco:ios_xr:6.7.35:::::::*
cisco	ios_xr	6.8.1	cpe:2.3:o:cisco:ios_xr:6.8.1:::::::*
cisco	ios_xr	6.8.2	cpe:2.3:o:cisco:ios_xr:6.8.2:::::::*
cisco	ios_xr	6.9.1	cpe:2.3:o:cisco:ios_xr:6.9.1:::::::*
cisco	ios_xr	7.0.1	cpe:2.3:o:cisco:ios_xr:7.0.1:::::::*
cisco	ios_xr	7.0.2	cpe:2.3:o:cisco:ios_xr:7.0.2:::::::*
cisco	ios_xr	7.0.90	cpe:2.3:o:cisco:ios_xr:7.0.90:::::::*
cisco	ios_xr	7.1.1	cpe:2.3:o:cisco:ios_xr:7.1.1:::::::*
cisco	ios_xr	7.1.2	cpe:2.3:o:cisco:ios_xr:7.1.2:::::::*
cisco	ios_xr	7.1.3	cpe:2.3:o:cisco:ios_xr:7.1.3:::::::*
cisco	ios_xr	7.1.15	cpe:2.3:o:cisco:ios_xr:7.1.15:::::::*
cisco	ios_xr	7.1.25	cpe:2.3:o:cisco:ios_xr:7.1.25:::::::*
cisco	ios_xr	7.2.1	cpe:2.3:o:cisco:ios_xr:7.2.1:::::::*
cisco	ios_xr	7.2.2	cpe:2.3:o:cisco:ios_xr:7.2.2:::::::*
cisco	ios_xr	7.3.1	cpe:2.3:o:cisco:ios_xr:7.3.1:::::::*
cisco	ios_xr	7.3.2	cpe:2.3:o:cisco:ios_xr:7.3.2:::::::*
cisco	ios_xr	7.3.3	cpe:2.3:o:cisco:ios_xr:7.3.3:::::::*
cisco	ios_xr	7.3.4	cpe:2.3:o:cisco:ios_xr:7.3.4:::::::*
cisco	ios_xr	7.4.1	cpe:2.3:o:cisco:ios_xr:7.4.1:::::::*
cisco	ios_xr	7.4.2	cpe:2.3:o:cisco:ios_xr:7.4.2:::::::*
cisco	ios_xr	7.5.1	cpe:2.3:o:cisco:ios_xr:7.5.1:::::::*

References for CVE-2022-20849

URL	Tags
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt	Vendor Advisory

URL

CVE-2022-20849 | Cisco IOS XR Software Broadband Network Gateway PPPoE Denial of Service Vulnerability

Exploit prediction scoring system (EPSS) score for CVE-2022-20849

Common vulnerability scoring system (CVSS) metrics for CVE-2022-20849

Weakness enumeration for CVE-2022-20849

Affected software / configurations for CVE-2022-20849

References for CVE-2022-20849