CVE-2026-20052
Received Received - Intake
Memory Management Logic Error in Snort 3 Causes DoS

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the memory management handling for the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart. This vulnerability is due to a logic error in memory management when a device is performing Snort 3 SSL packet inspection. An attacker could exploit this vulnerability by sending crafted SSL packets through an established connection to be parsed by the Snort 3 Detection Engine. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine unexpectedly restarts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20052
EUVD
EUVD-2026-9458
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco secure_firewall_threat_defense *
cisco snort_3 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-788 The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software and is caused by a logic error in memory management during SSL packet inspection.

An unauthenticated, remote attacker can exploit this flaw by sending specially crafted SSL packets through an established connection to the Snort 3 Detection Engine.

Successful exploitation causes the Snort 3 Detection Engine to unexpectedly restart, resulting in a denial of service (DoS) condition.

Impact Analysis

[{'type': 'paragraph', 'content': 'The primary impact of this vulnerability is a denial of service (DoS) condition caused by the unexpected restart of the Snort 3 Detection Engine.'}, {'type': 'paragraph', 'content': "This means that the firewall's detection capabilities could be temporarily disrupted, potentially reducing the security monitoring and protection provided by the device."}, {'type': 'paragraph', 'content': 'Since the attack can be performed remotely and without authentication, it increases the risk of service interruption.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by verifying the SSL policy configuration and the status of Snort 3 on Cisco Secure Firewall Threat Defense (FTD) Software.

  • Use the CLI command `show ssl-policy-config` on Cisco Secure FTD Software to check the SSL policy status.
  • For devices managed by Cisco Secure Firepower Device Manager (FDM), check the SSL Decryption tab under Policies.
  • For devices managed by Cisco Secure Firewall Management Center (FMC), check the SSL Policy area in Access Control policies.
  • For devices managed by Cisco Defense Orchestrator, check the Decryption Policy in FTD Policies.
Mitigation Strategies

The only effective mitigation for this vulnerability is to upgrade to Cisco software releases that contain the fix.

Cisco provides a Software Checker tool to identify affected versions and fixed releases.

There are no workarounds identified; customers should verify device configurations, ensure sufficient memory and compatibility before upgrading, and consult Cisco TAC for assistance if needed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart