⚠ Actively exploited
Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-17. Required action: Apply updates per vendor instructions..
CVE-2018-0151 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Cisco IOS XE
Severity
9.8CRITICALNVD
EPSS
7.7%
top 8.04%
CISA KEV
KEV
Added 2022-03-03
Due 2022-03-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 28
KEV addedMar 3
KEV dueMar 17
Latest updateOct 21
CISA Required Action: Apply updates per vendor instructions.
Description
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages1 packages
🔴Vulnerability Details
3GHSA▶
GHSA-mpwr-vh8m-qpfg: A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attac↗2022-05-13
CVEList▶
CVE-2018-0151: A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attac↗2018-03-28
VulnCheck▶
Cisco IOS Software and Cisco IOS XE Software Quality of Service Remote Code Execution Vulnerability↗2018
📋Vendor Advisories
3📄Research Papers
1arXiv▶
Prompting the Priorities: A First Look at Evaluating LLMs for Vulnerability Triage and Prioritization↗2025-10-21