PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9225 Cisco CVE debrief

CVE-2016-9225 describes a denial-of-service issue in the Cisco Adaptive Security Appliance (ASA) CX Context-Aware Security module's data plane IP fragment handler. An unauthenticated remote attacker can send crafted fragmented IP traffic that exhausts free packet buffers in shared memory, leaving the CX module unable to process further traffic. Cisco and NVD characterize this as a high-severity availability issue, and Cisco states there are no software updates or workarounds that address it.

Vendor
Cisco
Product
CVE-2016-9225
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-01
Original CVE updated
2026-05-13
Advisory published
2017-02-01
Advisory updated
2026-05-13

Who should care

Organizations still operating Cisco ASA deployments with the CX Context-Aware Security module should treat this as urgent, especially if the module is exposed to untrusted network traffic. Network security teams, firewall owners, and incident responders should pay attention because the issue is remotely triggerable without authentication and Cisco indicates there is no direct fix or workaround.

Technical summary

The vulnerability is a resource-exhaustion condition in the CX module's IP fragment handling path (CWE-399). According to the CVE description, crafted fragmented IP traffic can exhaust free packet buffers in shared memory (SHM), preventing the module from processing additional traffic and producing a denial of service. NVD lists the CVSS v3.0 vector as AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, reflecting a network-reachable, unauthenticated DoS with high availability impact.

Defensive priority

High. The bug is remotely reachable, requires no authentication, affects all versions of the ASA CX Context-Aware Security module in the record, and Cisco says there are no updates or workarounds. That combination makes exposure management and replacement planning important wherever the module is still in use.

Recommended defensive actions

  • Inventory Cisco ASA deployments to determine whether the CX Context-Aware Security module is present and whether the environment matches the affected product record.
  • Prioritize removal, replacement, or decommissioning of affected deployments, since Cisco states there are no software updates and no workarounds for this issue.
  • Reduce exposure of affected systems to untrusted network traffic where operationally possible, and review segmentation and ingress controls around the module.
  • Monitor for availability degradation or traffic-processing failures consistent with shared-memory buffer exhaustion.
  • Track Cisco's vendor advisory and NVD record for any lifecycle or reference updates, even though no corrective software is available in the supplied record.

Evidence notes

Source evidence comes from the CVE description and the NVD record. The record states that improper handling of IP fragments in the Cisco ASA CX module can exhaust free packet buffers in shared memory and cause a DoS, that all versions of the module are affected, and that Cisco will not release software updates and provides no workarounds. NVD also maps the issue to CWE-399 and publishes CVSS v3.0 8.6 High.

Official resources

CVE published by the CVE/NVD record on 2017-02-01T19:59:00.157Z; the supplied source record was last modified on 2026-05-13T00:24:29.033Z. The NVD metadata references Cisco's vendor advisory as the primary vendor source.