CVE-2024-20308 [High] | Out-of-bounds Write in Ios

A vulnerability in the IKEv1 fragmentation code of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a heap underflow, resulting in an affected device reloading. This vulnerability exists because crafted, fragmented IKEv1 packets are not properly reassembled. An attacker could exploit this vulnerability by sending crafted UDP packets to an affected system. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: Only traffic that is directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered by IPv4 and IPv6 traffic..

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.69%	0.80%	+0.11%
2	2026-03-16	0.91%	0.69%	-0.21%
3	2025-12-28	—	0.91%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.69%

0.80%

+0.11%

2026-03-16

0.91%

0.69%

-0.21%

2025-12-28

—

0.91%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.6	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	4.0	[email protected]
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.6

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

4.0

[email protected]

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

Affected software / configurations for CVE-2024-20308

Vendor	Product	Version	Raw CPE
cisco	ios	12.4\(22\)md	cpe:2.3:o:cisco:ios:12.4\(22\)md:::::::*
cisco	ios	12.4\(22\)md1	cpe:2.3:o:cisco:ios:12.4\(22\)md1:::::::*
cisco	ios	12.4\(22\)md2	cpe:2.3:o:cisco:ios:12.4\(22\)md2:::::::*
cisco	ios	12.4\(22\)mda	cpe:2.3:o:cisco:ios:12.4\(22\)mda:::::::*
cisco	ios	12.4\(22\)mda1	cpe:2.3:o:cisco:ios:12.4\(22\)mda1:::::::*
cisco	ios	12.4\(22\)mda2	cpe:2.3:o:cisco:ios:12.4\(22\)mda2:::::::*
cisco	ios	12.4\(22\)mda3	cpe:2.3:o:cisco:ios:12.4\(22\)mda3:::::::*
cisco	ios	12.4\(22\)mda4	cpe:2.3:o:cisco:ios:12.4\(22\)mda4:::::::*
cisco	ios	12.4\(22\)mda5	cpe:2.3:o:cisco:ios:12.4\(22\)mda5:::::::*
cisco	ios	12.4\(22\)mda6	cpe:2.3:o:cisco:ios:12.4\(22\)mda6:::::::*
cisco	ios	12.4\(22\)t	cpe:2.3:o:cisco:ios:12.4\(22\)t:::::::*
cisco	ios	12.4\(22\)t1	cpe:2.3:o:cisco:ios:12.4\(22\)t1:::::::*
cisco	ios	12.4\(22\)t2	cpe:2.3:o:cisco:ios:12.4\(22\)t2:::::::*
cisco	ios	12.4\(22\)t3	cpe:2.3:o:cisco:ios:12.4\(22\)t3:::::::*
cisco	ios	12.4\(22\)t4	cpe:2.3:o:cisco:ios:12.4\(22\)t4:::::::*
cisco	ios	12.4\(22\)t5	cpe:2.3:o:cisco:ios:12.4\(22\)t5:::::::*
cisco	ios	12.4\(22\)xr1	cpe:2.3:o:cisco:ios:12.4\(22\)xr1:::::::*
cisco	ios	12.4\(22\)xr2	cpe:2.3:o:cisco:ios:12.4\(22\)xr2:::::::*
cisco	ios	12.4\(22\)xr3	cpe:2.3:o:cisco:ios:12.4\(22\)xr3:::::::*
cisco	ios	12.4\(22\)xr4	cpe:2.3:o:cisco:ios:12.4\(22\)xr4:::::::*
cisco	ios	12.4\(22\)xr5	cpe:2.3:o:cisco:ios:12.4\(22\)xr5:::::::*
cisco	ios	12.4\(22\)xr6	cpe:2.3:o:cisco:ios:12.4\(22\)xr6:::::::*
cisco	ios	12.4\(22\)xr7	cpe:2.3:o:cisco:ios:12.4\(22\)xr7:::::::*
cisco	ios	12.4\(22\)xr8	cpe:2.3:o:cisco:ios:12.4\(22\)xr8:::::::*
cisco	ios	12.4\(22\)xr9	cpe:2.3:o:cisco:ios:12.4\(22\)xr9:::::::*
cisco	ios	12.4\(22\)xr10	cpe:2.3:o:cisco:ios:12.4\(22\)xr10:::::::*
cisco	ios	12.4\(22\)xr11	cpe:2.3:o:cisco:ios:12.4\(22\)xr11:::::::*
cisco	ios	12.4\(22\)xr12	cpe:2.3:o:cisco:ios:12.4\(22\)xr12:::::::*
cisco	ios	12.4\(24\)md	cpe:2.3:o:cisco:ios:12.4\(24\)md:::::::*
cisco	ios	12.4\(24\)md1	cpe:2.3:o:cisco:ios:12.4\(24\)md1:::::::*
cisco	ios	12.4\(24\)md2	cpe:2.3:o:cisco:ios:12.4\(24\)md2:::::::*
cisco	ios	12.4\(24\)md3	cpe:2.3:o:cisco:ios:12.4\(24\)md3:::::::*
cisco	ios	12.4\(24\)md4	cpe:2.3:o:cisco:ios:12.4\(24\)md4:::::::*
cisco	ios	12.4\(24\)md5	cpe:2.3:o:cisco:ios:12.4\(24\)md5:::::::*
cisco	ios	12.4\(24\)md6	cpe:2.3:o:cisco:ios:12.4\(24\)md6:::::::*
cisco	ios	12.4\(24\)md7	cpe:2.3:o:cisco:ios:12.4\(24\)md7:::::::*
cisco	ios	12.4\(24\)mda1	cpe:2.3:o:cisco:ios:12.4\(24\)mda1:::::::*
cisco	ios	12.4\(24\)mda2	cpe:2.3:o:cisco:ios:12.4\(24\)mda2:::::::*
cisco	ios	12.4\(24\)mda3	cpe:2.3:o:cisco:ios:12.4\(24\)mda3:::::::*
cisco	ios	12.4\(24\)mda4	cpe:2.3:o:cisco:ios:12.4\(24\)mda4:::::::*
cisco	ios	12.4\(24\)mda5	cpe:2.3:o:cisco:ios:12.4\(24\)mda5:::::::*
cisco	ios	12.4\(24\)mda6	cpe:2.3:o:cisco:ios:12.4\(24\)mda6:::::::*
cisco	ios	12.4\(24\)mda7	cpe:2.3:o:cisco:ios:12.4\(24\)mda7:::::::*
cisco	ios	12.4\(24\)mda8	cpe:2.3:o:cisco:ios:12.4\(24\)mda8:::::::*
cisco	ios	12.4\(24\)mda9	cpe:2.3:o:cisco:ios:12.4\(24\)mda9:::::::*
cisco	ios	12.4\(24\)mda10	cpe:2.3:o:cisco:ios:12.4\(24\)mda10:::::::*
cisco	ios	12.4\(24\)mda11	cpe:2.3:o:cisco:ios:12.4\(24\)mda11:::::::*
cisco	ios	12.4\(24\)mda12	cpe:2.3:o:cisco:ios:12.4\(24\)mda12:::::::*
cisco	ios	12.4\(24\)mda13	cpe:2.3:o:cisco:ios:12.4\(24\)mda13:::::::*
cisco	ios	12.4\(24\)mdb	cpe:2.3:o:cisco:ios:12.4\(24\)mdb:::::::*
cisco	ios	12.4\(24\)mdb1	cpe:2.3:o:cisco:ios:12.4\(24\)mdb1:::::::*
cisco	ios	12.4\(24\)mdb3	cpe:2.3:o:cisco:ios:12.4\(24\)mdb3:::::::*
cisco	ios	12.4\(24\)mdb4	cpe:2.3:o:cisco:ios:12.4\(24\)mdb4:::::::*
cisco	ios	12.4\(24\)mdb5	cpe:2.3:o:cisco:ios:12.4\(24\)mdb5:::::::*
cisco	ios	12.4\(24\)mdb5a	cpe:2.3:o:cisco:ios:12.4\(24\)mdb5a:::::::*
cisco	ios	12.4\(24\)mdb6	cpe:2.3:o:cisco:ios:12.4\(24\)mdb6:::::::*
cisco	ios	12.4\(24\)mdb7	cpe:2.3:o:cisco:ios:12.4\(24\)mdb7:::::::*
cisco	ios	12.4\(24\)mdb8	cpe:2.3:o:cisco:ios:12.4\(24\)mdb8:::::::*
cisco	ios	12.4\(24\)mdb9	cpe:2.3:o:cisco:ios:12.4\(24\)mdb9:::::::*
cisco	ios	12.4\(24\)mdb10	cpe:2.3:o:cisco:ios:12.4\(24\)mdb10:::::::*
cisco	ios	12.4\(24\)mdb11	cpe:2.3:o:cisco:ios:12.4\(24\)mdb11:::::::*
cisco	ios	12.4\(24\)mdb12	cpe:2.3:o:cisco:ios:12.4\(24\)mdb12:::::::*
cisco	ios	12.4\(24\)mdb13	cpe:2.3:o:cisco:ios:12.4\(24\)mdb13:::::::*
cisco	ios	12.4\(24\)mdb14	cpe:2.3:o:cisco:ios:12.4\(24\)mdb14:::::::*
cisco	ios	12.4\(24\)mdb15	cpe:2.3:o:cisco:ios:12.4\(24\)mdb15:::::::*
cisco	ios	12.4\(24\)mdb16	cpe:2.3:o:cisco:ios:12.4\(24\)mdb16:::::::*
cisco	ios	12.4\(24\)mdb17	cpe:2.3:o:cisco:ios:12.4\(24\)mdb17:::::::*
cisco	ios	12.4\(24\)mdb18	cpe:2.3:o:cisco:ios:12.4\(24\)mdb18:::::::*
cisco	ios	12.4\(24\)mdb19	cpe:2.3:o:cisco:ios:12.4\(24\)mdb19:::::::*
cisco	ios	12.4\(24\)t	cpe:2.3:o:cisco:ios:12.4\(24\)t:::::::*
cisco	ios	12.4\(24\)t1	cpe:2.3:o:cisco:ios:12.4\(24\)t1:::::::*
cisco	ios	12.4\(24\)t2	cpe:2.3:o:cisco:ios:12.4\(24\)t2:::::::*
cisco	ios	12.4\(24\)t3	cpe:2.3:o:cisco:ios:12.4\(24\)t3:::::::*
cisco	ios	12.4\(24\)t3e	cpe:2.3:o:cisco:ios:12.4\(24\)t3e:::::::*
cisco	ios	12.4\(24\)t3f	cpe:2.3:o:cisco:ios:12.4\(24\)t3f:::::::*
cisco	ios	12.4\(24\)t4	cpe:2.3:o:cisco:ios:12.4\(24\)t4:::::::*
cisco	ios	12.4\(24\)t4a	cpe:2.3:o:cisco:ios:12.4\(24\)t4a:::::::*
cisco	ios	12.4\(24\)t4b	cpe:2.3:o:cisco:ios:12.4\(24\)t4b:::::::*
cisco	ios	12.4\(24\)t4c	cpe:2.3:o:cisco:ios:12.4\(24\)t4c:::::::*
cisco	ios	12.4\(24\)t4d	cpe:2.3:o:cisco:ios:12.4\(24\)t4d:::::::*

References for CVE-2024-20308

URL	Tags
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ikev1-NO2ccFWz	Vendor Advisory

URL

CVE-2024-20308

Exploit prediction scoring system (EPSS) score for CVE-2024-20308

Common vulnerability scoring system (CVSS) metrics for CVE-2024-20308

Weakness enumeration for CVE-2024-20308

Affected software / configurations for CVE-2024-20308

References for CVE-2024-20308