CVE-2026-20027
Buffer Overflow in Cisco Snort 3 Causes Info Leak, Crash
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | open_source_snort_3 | to 3.9.6.0 (exc) |
| cisco | secure_firewall_threat_defense | From 7.0.0 (inc) |
| cisco | ios_xe | From 26.1.1 (inc) |
| cisco | meraki | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20027 is a medium-severity vulnerability in multiple Cisco products that use Snort 3 for processing DCE/RPC requests. It is caused by an error in buffer handling logic that leads to a buffer out-of-bounds read. An unauthenticated, remote attacker can exploit this by sending many crafted DCE/RPC requests through an established connection inspected by Snort 3, potentially causing sensitive information to be leaked from the Snort 3 data stream or causing the Snort 3 Detection Engine to restart, interrupting packet inspection. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated, remote attacker to obtain sensitive information from the Snort 3 data stream, which could lead to information exposure. Additionally, the attacker could cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection and potentially reducing the effectiveness of network security monitoring. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability requires verifying that Snort 3 is active and inspecting DCE/RPC traffic on your devices. Cisco provides detailed instructions and tools to verify Snort 3 activation and the Unified Threat Defense (UTD) engine status on affected devices. Users of Cisco Secure Firewall ASA, FMC, and FTD can use the Cisco Software Checker tool to identify affected releases. Specific commands are not provided in the resources, but checking Snort 3 activation and UTD engine status is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading to fixed software releases provided by Cisco. For Open Source Snort 3, upgrade to version 3.9.6.0 or later. Cisco Secure Firewall ASA, FMC, and FTD users should use the Cisco Software Checker tool to identify affected versions and obtain fixed releases. Cisco IOS XE users should upgrade to release 26.1.1 or later. Cisco Meraki users should apply fixes when released (planned for February 2026). Hotfixes are available for Cisco Secure FTD Software releases 7.0 and 7.2. No workarounds are available, so upgrading is strongly recommended. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to the disclosure of sensitive information due to a buffer out-of-bounds read in Snort 3's processing of DCE/RPC requests. Such unauthorized exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. Therefore, organizations using affected Cisco products should apply the provided software updates promptly to mitigate the risk and maintain compliance. [1]