CVE-2026-20027
Unknown Unknown - Not Provided
Buffer Overflow in Cisco Snort 3 Causes Info Leak, Crash

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: Cisco Systems, Inc.

Description
Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to obtain sensitive information in the Snort 3 data stream.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20027
EUVD
EUVD-2026-1200
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
cisco open_source_snort_3 to 3.9.6.0 (exc)
cisco secure_firewall_threat_defense From 7.0.0 (inc)
cisco ios_xe From 26.1.1 (inc)
cisco meraki *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20027 is a medium-severity vulnerability in multiple Cisco products that use Snort 3 for processing DCE/RPC requests. It is caused by an error in buffer handling logic that leads to a buffer out-of-bounds read. An unauthenticated, remote attacker can exploit this by sending many crafted DCE/RPC requests through an established connection inspected by Snort 3, potentially causing sensitive information to be leaked from the Snort 3 data stream or causing the Snort 3 Detection Engine to restart, interrupting packet inspection. [1]

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated, remote attacker to obtain sensitive information from the Snort 3 data stream, which could lead to information exposure. Additionally, the attacker could cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection and potentially reducing the effectiveness of network security monitoring. [1]

Detection Guidance

Detection of this vulnerability requires verifying that Snort 3 is active and inspecting DCE/RPC traffic on your devices. Cisco provides detailed instructions and tools to verify Snort 3 activation and the Unified Threat Defense (UTD) engine status on affected devices. Users of Cisco Secure Firewall ASA, FMC, and FTD can use the Cisco Software Checker tool to identify affected releases. Specific commands are not provided in the resources, but checking Snort 3 activation and UTD engine status is recommended. [1]

Mitigation Strategies

Immediate mitigation involves upgrading to fixed software releases provided by Cisco. For Open Source Snort 3, upgrade to version 3.9.6.0 or later. Cisco Secure Firewall ASA, FMC, and FTD users should use the Cisco Software Checker tool to identify affected versions and obtain fixed releases. Cisco IOS XE users should upgrade to release 26.1.1 or later. Cisco Meraki users should apply fixes when released (planned for February 2026). Hotfixes are available for Cisco Secure FTD Software releases 7.0 and 7.2. No workarounds are available, so upgrading is strongly recommended. [1]

Compliance Impact

This vulnerability could lead to the disclosure of sensitive information due to a buffer out-of-bounds read in Snort 3's processing of DCE/RPC requests. Such unauthorized exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. Therefore, organizations using affected Cisco products should apply the provided software updates promptly to mitigate the risk and maintain compliance. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart