CVE-2026-20005
Received Received - Intake
Denial of Service in Cisco Snort 3 via SSL Handshake Parsing

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Cisco Systems, Inc.

Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. This vulnerability is due to incomplete parsing of the SSL handshake ingress packets. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20005
EUVD
EUVD-2026-9427
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
cisco snort_3_detection_engine *
cisco open_source_snort_3 3.9.2.0
cisco secure_firewall_threat_defense *
cisco ios_xe *
cisco meraki_mx_series *
cisco cyber_vision *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-392 The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20005 is a medium-severity denial of service (DoS) vulnerability affecting multiple Cisco products that use the Snort 3 Detection Engine.

The vulnerability arises from incomplete parsing of SSL handshake ingress packets by the Snort 3 Detection Engine.

An unauthenticated, remote attacker can exploit this by sending specially crafted SSL handshake packets that cause the Snort 3 Detection Engine to restart unexpectedly.

This restart interrupts packet inspection, resulting in a denial of service condition.

Impact Analysis

The vulnerability can cause the Snort 3 Detection Engine to restart unexpectedly, which interrupts packet inspection.

This interruption leads to a denial of service (DoS) condition, potentially leaving your network security monitoring and threat detection temporarily disabled.

Since the attack requires no authentication and can be performed remotely, it increases the risk of service disruption without needing privileged access.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or methods provided in the available information to identify this vulnerability on your network or system.

Mitigation Strategies

No workarounds exist for this vulnerability. Cisco strongly recommends upgrading to fixed software releases to mitigate the issue.

  • For Open Source Snort 3, upgrade to version 3.9.2.0 or later.
  • Cisco Secure Firewall ASA, FMC, and FTD software users should use the Cisco Software Checker tool to identify affected versions and upgrade accordingly.
  • Meraki MX series devices have been automatically updated via the Meraki Dashboard as of February 5, 2026.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20005. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart