Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.

This vulnerability is due to an error in the JSTokenizer normalization logic when the HTTP inspection normalizes JavaScript. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection that is parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine restarts unexpectedly. JSTokenizer is not enabled by default.
Published: 2026-03-04
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The affected Snort 3 Detection Engine contains a flaw in JSTokenizer normalization during HTTP inspection of JavaScript. An attacker can send crafted HTTP packets over an existing connection to trigger a crash, causing the engine to restart unexpectedly. The outcome is a denial of service, temporarily disabling packet inspection and potentially leading to loss of security coverage.

Affected Systems

The flaw impacts Cisco Secure Firewall Threat Defense (FTD) Software and Cisco UTD SNORT IPS Engine Software. Specific product versions are not disclosed in the advisory.

Risk and Exploitability

The CVSS score is 5.8, indicating a moderate risk. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low exploitation probability in the wild. The vulnerability is reachable by an unauthenticated remote attacker who can send specially crafted HTTP packets over an established connection, as the flaw arises during HTTP inspection of JavaScript. The effective attack vector is remote network traffic, and the attacker needs only to craft the payload; no privileged access is required.

Generated by OpenCVE AI on April 16, 2026 at 13:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Cisco-published patches or firmware updates that address the Snort 3 Discovery Engine issue.
  • If feasible, disable the JSTokenizer or JavaScript HTTP inspection in the Snort 3 configuration to prevent the flaw from being triggered.
  • Continuously monitor system logs for unexpected restarts or denial of service events and apply vendor updates promptly.

Generated by OpenCVE AI on April 16, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in the JSTokenizer normalization logic when the HTTP inspection normalizes JavaScript. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection that is parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine restarts unexpectedly. JSTokenizer is not enabled by default.
Title Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Cisco Cisco Utd Snort Ips Engine Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T20:46:18.739Z

Reserved: 2025-10-08T11:59:15.357Z

Link: CVE-2026-20066

cve-icon Vulnrichment

Updated: 2026-03-04T20:46:13.165Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:21.670

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses