Cisco 12000 Series Internet Router ACL Failure To Drop Packets Vulnerability
Cisco 12000 Series Internet Routers with line cards based on Engine 2 are prone to an unusual issue where they may fail to drop packets.
This issue occurs when an outgoing Access Control List(ACL) is exactly 448 lines and the last statement is not explicitly a "deny ip any any" rule.
The result is that some packets will not be dropped, potentially allowing restricted traffic into the network.
Cisco has assigned Vulnerability CSCdu03323 to this issue.