Description
Multiple Cisco products are affected by a vulnerability in the Snort 3 detection engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection. 

This vulnerability is due to incomplete error checking when parsing the Multicast DNS fields of the HTTP header. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.
Published: 2026-03-04
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

This vulnerability arises from incomplete error checking when Snort 3 parses Multicast DNS fields in HTTP headers. An unauthenticated, remote attacker can send crafted HTTP packets that, when processed by Snort 3, cause the detection engine to restart, interrupting packet inspection and causing a denial‑of‑service condition.

Affected Systems

The flaw affects several Cisco products, including Cisco Cyber Vision, Cisco Secure Firewall Threat Defense (FTD) Software, and Cisco UTD SNORT IPS Engine Software. No specific version ranges are provided in the advisory, so all deployed instances that incorporate the vulnerable Snort 3 engine should be considered potentially impacted.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, and the EPSS score of less than 1% reflects a very low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers require no authentication and can exploit the flaw remotely by sending malicious HTTP traffic, making it straightforward to trigger an engine restart. While the probability of an attack is low, the impact of a service interruption on high‑availability or critical network infrastructure can be significant, so timely remediation is advisable.

Generated by OpenCVE AI on April 16, 2026 at 13:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco firmware or software update that includes the fixed Snort 3 engine.
  • If no patch is yet available, block or filter traffic containing malformed Multicast DNS fields in the HTTP header before it reaches Snort, for example by configuring upstream firewalls or ACLs.
  • Enable detailed logging on Snort 3 to capture abnormal restarts or parsing errors, and monitor these logs for signs of exploitation attempts.
  • Isolate Snort 3 instances from external network segments that carry untrusted traffic during the remediation window.

Generated by OpenCVE AI on April 16, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco cyber Vision
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco cisco Utd Snort Ips Engine Software
Cisco cyber Vision
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Multiple Cisco products are affected by a vulnerability in the Snort 3 detection engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.&nbsp; This vulnerability is due to incomplete error checking when parsing the Multicast DNS fields of the HTTP header. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.
Title Multiple Cisco Products Snort 3 TBD Denial of Service Vulnerability
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Cisco Cisco Utd Snort Ips Engine Software Cyber Vision Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T20:45:50.116Z

Reserved: 2025-10-08T11:59:15.357Z

Link: CVE-2026-20067

cve-icon Vulnrichment

Updated: 2026-03-04T20:45:39.452Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:21.950

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses