CVE-2026-20053
Received Received - Intake
Heap Overflow in Cisco Snort 3 VBA Causes Remote DoS

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Cisco Systems, Inc.

Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 VBA feature that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to crash. This vulnerability is due to improper range checking when decompressing VBA data, which is user controlled. An attacker could exploit this vulnerability by sending crafted VBA data to the Snort 3 Detection Engine on the targeted device. A successful exploit could allow the attacker to cause an overflow of heap data, which could cause a DoS condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20053
EUVD
EUVD-2026-9459
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
cisco open_source_snort_3 3.9.3.0
cisco open_source_snort_3 3.9.6.0
cisco secure_firewall_threat_defense *
cisco ios_xe *
cisco cyber_vision 5.3.3
cisco ios_xe 17.12.7
cisco ios_xe 17.15.5
cisco ios_xe 17.18.3
cisco ios_xe 26.1.1
cisco snort_3 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects multiple Cisco products that use the Snort 3 Visual Basic for Applications (VBA) Decompression Engine. It is caused by improper range checking when decompressing user-controlled VBA data, which can lead to a heap overflow.

An unauthenticated, remote attacker can exploit this by sending specially crafted VBA data to the Snort 3 Detection Engine, causing it to crash or restart unexpectedly, resulting in a denial of service (DoS) condition.

The vulnerability only affects Snort 3 with VBA macro decompression enabled, which is not enabled by default.

Impact Analysis

If exploited, this vulnerability can cause the Snort 3 Detection Engine on affected Cisco devices to crash or restart, leading to a denial of service (DoS) condition.

This means that the security monitoring and intrusion detection capabilities provided by Snort 3 could be temporarily unavailable, potentially reducing the effectiveness of network defense.

However, the vulnerability does not impact confidentiality or integrity of data, only availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects Cisco products using the Snort 3 VBA decompression feature when it is enabled. Detection involves identifying if Snort 3 with VBA macro decompression is active on your devices.

Since VBA macro decompression is not enabled by default, first verify if it is enabled on your Cisco Secure Firewall Threat Defense (FTD), Cisco IOS XE with Unified Threat Defense (UTD) Snort IPS Engine, or Cisco Cyber Vision devices.

Cisco provides a Software Checker tool to identify affected versions and fixes, which can help detect vulnerable software versions.

No specific commands are provided in the available resources to detect exploitation or presence of the vulnerability on the network or system.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling the VBA decompression feature in Snort 3, as it is not enabled by default and disabling it effectively mitigates the risk.'}, {'type': 'paragraph', 'content': 'Cisco strongly recommends upgrading to fixed software releases that address this vulnerability. Fixed versions include:'}, {'type': 'list_item', 'content': 'Open Source Snort 3: versions 3.9.3.0 and later'}, {'type': 'list_item', 'content': "Cisco Secure Firewall ASA, FMC, and FTD Software: upgrade to fixed releases as identified by Cisco's Software Checker tool"}, {'type': 'list_item', 'content': 'Cisco IOS XE Software: versions 17.12.7, 17.15.5, 17.18.3, and 26.1.1 or later'}, {'type': 'list_item', 'content': 'Cisco Cyber Vision: version 5.3.3 or later'}, {'type': 'paragraph', 'content': 'Until fixed software can be deployed, disabling VBA decompression is the recommended workaround to prevent exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20053. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart