Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.

This vulnerability is due to incomplete parsing of the SSL handshake ingress packets. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.
Published: 2026-03-04
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Acquire Patch
AI Analysis

Impact

The vulnerability lies in the Snort 3 Detection Engine’s handling of SSL handshake ingress packets. A malicious actor can send specially crafted SSL handshake packets that the engine fails to parse correctly, causing the engine to restart. This restart interrupts packet inspection, resulting in a denial of service to network traffic processed by the affected Cisco products. The weakness is classified as CWE‑392, an improper shutdown or failure to properly terminate a process.

Affected Systems

Affected products include Cisco Cyber Vision, Cisco Secure Firewall Threat Defense (FTD) Software, and Cisco UTD SNORT IPS Engine Software. No specific version details are provided in the CNA data, so all deployments of these products potentially expose the flaw.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, while the EPSS score of less than 1% suggests a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog, and no official exploitation proof of concept is reported. The likely attack vector is remote, unauthenticated traffic targeting the Snort 3 engine over a network connection. Because the flaw can be triggered without authentication, any system reachable by the attacker that runs a vulnerable instance could suffer a service interruption.

Generated by OpenCVE AI on April 17, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued firmware or software update that fixes the SSL handshake parsing bug in the Snort 3 Detection Engine
  • Implement network‑level filtering or rate limiting to reduce the impact of malformed SSL handshake packets before they reach the Snort 3 engine
  • Configure alerts on Snort 3 engine restart events to enable rapid response and investigation

Generated by OpenCVE AI on April 17, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco cyber Vision
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco cyber Vision
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. This vulnerability is due to incomplete parsing of the SSL handshake ingress packets by the Snort 3 Detection Engine. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly. Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. This vulnerability is due to incomplete parsing of the SSL handshake ingress packets. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.
Title Multiple Cisco Products Snort 3 SSL Denial of Service Vulnerability

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. This vulnerability is due to incomplete parsing of the SSL handshake ingress packets by the Snort 3 Detection Engine. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.
Title Multiple Cisco Products Snort 3 SSL Denial of Service Vulnerability
Weaknesses CWE-392
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Cisco Cisco Utd Snort Ips Engine Software Cyber Vision Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T18:04:14.731Z

Reserved: 2025-10-08T11:59:15.349Z

Link: CVE-2026-20005

cve-icon Vulnrichment

Updated: 2026-03-04T17:18:53.283Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T17:16:18.110

Modified: 2026-03-04T18:16:13.133

Link: CVE-2026-20005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses