CVE-2026-20053
Heap Overflow in Cisco Snort 3 VBA Causes Remote DoS
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | open_source_snort_3 | 3.9.3.0 |
| cisco | open_source_snort_3 | 3.9.6.0 |
| cisco | secure_firewall_threat_defense | * |
| cisco | ios_xe | * |
| cisco | cyber_vision | 5.3.3 |
| cisco | ios_xe | 17.12.7 |
| cisco | ios_xe | 17.15.5 |
| cisco | ios_xe | 17.18.3 |
| cisco | ios_xe | 26.1.1 |
| cisco | snort_3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects multiple Cisco products that use the Snort 3 Visual Basic for Applications (VBA) Decompression Engine. It is caused by improper range checking when decompressing user-controlled VBA data, which can lead to a heap overflow.
An unauthenticated, remote attacker can exploit this by sending specially crafted VBA data to the Snort 3 Detection Engine, causing it to crash or restart unexpectedly, resulting in a denial of service (DoS) condition.
The vulnerability only affects Snort 3 with VBA macro decompression enabled, which is not enabled by default.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause the Snort 3 Detection Engine on affected Cisco devices to crash or restart, leading to a denial of service (DoS) condition.
This means that the security monitoring and intrusion detection capabilities provided by Snort 3 could be temporarily unavailable, potentially reducing the effectiveness of network defense.
However, the vulnerability does not impact confidentiality or integrity of data, only availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Cisco products using the Snort 3 VBA decompression feature when it is enabled. Detection involves identifying if Snort 3 with VBA macro decompression is active on your devices.
Since VBA macro decompression is not enabled by default, first verify if it is enabled on your Cisco Secure Firewall Threat Defense (FTD), Cisco IOS XE with Unified Threat Defense (UTD) Snort IPS Engine, or Cisco Cyber Vision devices.
Cisco provides a Software Checker tool to identify affected versions and fixes, which can help detect vulnerable software versions.
No specific commands are provided in the available resources to detect exploitation or presence of the vulnerability on the network or system.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling the VBA decompression feature in Snort 3, as it is not enabled by default and disabling it effectively mitigates the risk.'}, {'type': 'paragraph', 'content': 'Cisco strongly recommends upgrading to fixed software releases that address this vulnerability. Fixed versions include:'}, {'type': 'list_item', 'content': 'Open Source Snort 3: versions 3.9.3.0 and later'}, {'type': 'list_item', 'content': "Cisco Secure Firewall ASA, FMC, and FTD Software: upgrade to fixed releases as identified by Cisco's Software Checker tool"}, {'type': 'list_item', 'content': 'Cisco IOS XE Software: versions 17.12.7, 17.15.5, 17.18.3, and 26.1.1 or later'}, {'type': 'list_item', 'content': 'Cisco Cyber Vision: version 5.3.3 or later'}, {'type': 'paragraph', 'content': 'Until fixed software can be deployed, disabling VBA decompression is the recommended workaround to prevent exploitation.'}] [1]