Cisco Snort 3 HTTP Decoder Vulnerability Allowing Information Disclosure or Denial-of-Service

A vulnerability exists in the Snort 3 HTTP Decoder across multiple Cisco products, potentially allowing an unauthenticated, remote attacker to either crash the Snort 3 Detection Engine or cause the unintentional disclosure of sensitive data. This issue arises from improper buffer handling when parsing MIME fields in HTTP headers, leading to a buffer under-read. Exploitation involves sending crafted HTTP packets through an established connection that Snort 3 is parsing. Successful exploitation could either restart the Snort 3 Detection Engine, causing a denial-of-service condition, or leak sensitive information from the Snort 3 data stream, including data that is not valid connection information.

Impact

Exploitation of this vulnerability could result in the Snort 3 Detection Engine crashing, causing a denial-of-service condition, or leaking sensitive information from the Snort 3 data stream.

Remediation

Cisco has released software updates to address this vulnerability. For Open Source Snort 3, users should upgrade to version 3.9.3.0. For Cisco Secure Firewall Threat Defense Software, Snort 3 must be active for these vulnerabilities to be exploited. Instructions for checking the active Snort version are available on the Cisco website. Cisco Meraki plans to release fixes in February 2026.