CVE-2026-20005
Received Received - Intake
Denial of Service in Cisco Snort 3 via SSL Handshake Parsing

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Cisco Systems, Inc.

Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. This vulnerability is due to incomplete parsing of the SSL handshake ingress packets. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-05-06
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20005
EUVD
EUVD-2026-9427
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
cisco snort_3_detection_engine *
cisco open_source_snort_3 3.9.2.0
cisco secure_firewall_threat_defense *
cisco ios_xe *
cisco meraki_mx_series *
cisco cyber_vision *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-392 The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20005 is a medium-severity denial of service (DoS) vulnerability affecting multiple Cisco products that use the Snort 3 Detection Engine.

The vulnerability arises from incomplete parsing of SSL handshake ingress packets by the Snort 3 Detection Engine.

An unauthenticated, remote attacker can exploit this by sending specially crafted SSL handshake packets that cause the Snort 3 Detection Engine to restart unexpectedly.

This restart interrupts packet inspection, resulting in a denial of service condition.


How can this vulnerability impact me? :

The vulnerability can cause the Snort 3 Detection Engine to restart unexpectedly, which interrupts packet inspection.

This interruption leads to a denial of service (DoS) condition, potentially leaving your network security monitoring and threat detection temporarily disabled.

Since the attack requires no authentication and can be performed remotely, it increases the risk of service disruption without needing privileged access.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There are no specific detection commands or methods provided in the available information to identify this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

No workarounds exist for this vulnerability. Cisco strongly recommends upgrading to fixed software releases to mitigate the issue.

  • For Open Source Snort 3, upgrade to version 3.9.2.0 or later.
  • Cisco Secure Firewall ASA, FMC, and FTD software users should use the Cisco Software Checker tool to identify affected versions and upgrade accordingly.
  • Meraki MX series devices have been automatically updated via the Meraki Dashboard as of February 5, 2026.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart