CVE-2026-20006
TLS Protocol Vulnerability in Cisco Snort 3 Causes DoS
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | firepower_services | * |
| cisco | secure_firewall_threat_defense_software | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-388 |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20006 is a medium-severity vulnerability in the TLS cryptography functionality of the Snort 3 Detection Engine within Cisco Secure Firewall Threat Defense (FTD) Software.
The vulnerability is caused by an improper implementation of the TLS protocol, which allows an unauthenticated remote attacker to send specially crafted TLS packets that cause the Snort 3 Detection Engine to unexpectedly restart.
This unexpected restart leads to dropped network traffic and results in a denial of service (DoS) condition. Notably, TLS 1.3 is not affected by this vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause the Snort 3 Detection Engine to restart unexpectedly, which leads to dropped network traffic.
The resulting denial of service (DoS) condition can disrupt network security monitoring and traffic inspection, potentially allowing malicious traffic to pass undetected or causing interruptions in network operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you should verify if Snort 3 is enabled on your Cisco Secure Firewall Threat Defense (FTD) device and check the SSL or decryption policy configurations via the Cisco Secure FMC Software management interface.
Specifically, look for SSL or decryption policies that block traffic from specific TLS versions (TLS 1.0, 1.1, or 1.2) or policies that do not decrypt traffic for unsupported cipher suites, as these conditions make the device vulnerable.
Cisco provides a Software Checker tool to identify affected releases and the earliest fixed versions, which can help confirm if your software version is vulnerable.
While no explicit commands are provided in the advisory, using the Cisco Secure FMC Software management interface to review Snort 3 activation and SSL/decryption policy settings is the recommended detection method.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include configuring your SSL or decryption policies to allow traffic from all TLS versions by enabling all TLS version checkboxes in the policy rules, thereby avoiding blocking specific TLS versions.
Be aware that these workarounds may impact network functionality or performance, so they should be tested before deployment.
The most effective mitigation is to upgrade to the fixed software versions released by Cisco that fully remediate the vulnerability.
Using the Cisco Software Checker tool can help identify the appropriate fixed versions for your environment.