Cisco IOS Software UBR Devices IPv6 to IPv4 Subsystem Denial of Service Vulnerability

A vulnerability in the IPv6 to IPv4 subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a standby Performance Routing Engine (PRE) to leak a small portion of memory on a targeted system, resulting in a denial of service (DoS) condition.

The vulnerability is due to a failure to free a portion of memory allocated to store the IPv6 address of a connecting customer premises equipment (CPE) device when a specific error condition is encountered. An attacker who can trigger a specific type of failed CPE negotiation could cause the standby PRE to leak a small portion of memory, resulting in a DoS condition.

Cisco has confirmed the vulnerability and released software updates.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.