EXECUTIVE SUMMARY:
Multiple security weaknesses were identified in products that use the Snort 3 detection engine when handling DCE/RPC network traffic. These flaws allow a remote attacker with no login access to send crafted network requests that are inspected by Snort 3. When processed, these requests may cause the detection engine to restart or expose sensitive data from memory. A restart of the engine can interrupt traffic inspection, reducing visibility into malicious activity. The issues affect systems where Snort 3 is active and inspecting live traffic. The overall severity of these issues is rated as medium, with CVSS scores of 5.8 and 5.3, indicating a noticeable but limited security impact.
CVE-2026-20026: This vulnerability exists due to improper buffer handling when processing DCE/RPC requests. The flaw can trigger a use-after-free memory read inside the Snort 3 engine. An attacker can exploit this by sending a high volume of crafted DCE/RPC requests over an already established connection. Successful exploitation may cause the detection engine to restart unexpectedly. This results in a denial of service condition where packet inspection is temporarily disrupted, allowing traffic to pass without proper inspection.
CVE-2026-20027: This issue is caused by an out-of-bounds memory read during DCE/RPC request processing. Like the previous flaw, an attacker can repeatedly send crafted requests that are inspected by Snort 3. When exploited, the engine may read memory outside its intended bounds. This can lead to exposure of sensitive information from the inspection data stream. While system availability is not heavily impacted, confidentiality is reduced due to possible data leakage during inspection.
These vulnerabilities show how improper memory handling in network inspection engines can weaken security controls. Systems using Snort 3 remain exposed until fixed software is applied. Applying updates is the only reliable way to fully address these issues.
RECOMMENDATION:
We strongly recommend you update Snort 3 to version 3.9.6.0 or later.
REFERENCES:
The following reports contain further technical details:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-dcerpc-vulns-J9HNF4tH?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Multiple%20Cisco%20Products%20Snort%203%20Distributed%20Computing%20Environment/Remote%20Procedure%20Call%20Vulnerabilities%26vs_k=1