Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 VBA feature that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to crash. 

This vulnerability is due to improper error checking when decompressing VBA data. An attacker could exploit this vulnerability by sending crafted VBA data to the Snort 3 Detection Engine on the targeted device. A successful exploit could allow the attacker to cause the Snort 3 Detection Engine to enter an infinite loop, causing a DoS condition.
Published: 2026-03-04
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Infinite Loop)
Action: Patch
AI Analysis

Impact

An attacker can trigger an infinite loop in the Snort 3 Detection Engine by sending specially crafted VBA data, which causes the engine to crash. This flaw stems from improper error checking during VBA data decompression and results in a denial‑of‑service condition on the affected device.

Affected Systems

The vulnerable products include Cisco Cyber Vision, Cisco Secure Firewall Threat Defense (FTD) Software, and Cisco UTD SNORT IPS Engine Software. No specific version numbers are listed, so all current releases are potentially affected until an official patch is applied.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is accessible to unauthenticated remote attackers, and it is not currently listed in the CISA KEV catalog. Due to the nature of the flaw—an infinite loop leading to resource exhaustion—an attacker who succeeds could render the Snort 3 engine unusable, thereby degrading IDS functionality and potentially impacting the overall security posture of the network.

Generated by OpenCVE AI on April 16, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Cisco Secure Firewall Threat Defense software update that includes the fixed Snort 3 VBA decompression logic.
  • Disable or remove the Snort 3 VBA feature if it is not required for your deployment to eliminate the attack surface.
  • Monitor Snort 3 for abnormal CPU usage or repeated crashes, and block traffic that contains suspicious VBA payloads to prevent exploitation.

Generated by OpenCVE AI on April 16, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco cyber Vision
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco cyber Vision
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Multiple Cisco products are affected by a vulnerability in the Snort 3 VBA feature that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to crash.&nbsp; This vulnerability is due to improper error checking when decompressing VBA data. An attacker could exploit this vulnerability by sending crafted VBA data to the Snort 3 Detection Engine on the targeted device. A successful exploit could allow the attacker to cause the Snort 3 Detection Engine to enter an infinite loop, causing a DoS condition.
Title Cisco Secure Firewall Threat Defense Software Snort 3 Visual Basic for Application Infinite Loop Denial of Service Vulnerability
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Cisco Cisco Utd Snort Ips Engine Software Cyber Vision Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T21:30:54.724Z

Reserved: 2025-10-08T11:59:15.355Z

Link: CVE-2026-20054

cve-icon Vulnrichment

Updated: 2026-03-04T21:30:47.097Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:19.920

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses