ALT-PU-2025-14124-5

BDU:2025-08912

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-07-23Modified: 2025-08-13

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-53538

BDU:2025-12460

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связана с некорректной проверкой безопасности для стандартных элементов, позволяющая нарушителю обойти существующие механизмы безопасности или вызвать отказ в обслуживании

Published: 2025-10-03Modified: 2026-05-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N

References

CVE-2025-59147

BDU:2025-13675

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с разыменованием указателей, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-03Modified: 2025-11-17

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-59150

BDU:2025-14723

MEDIUM6.2

Уязвимость компонента ldap.responsions.attribute_type системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-27

CVSS 3.xMEDIUM 6.2

CVSS:3.x/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.9

CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-59149

BDU:2025-14724

HIGH7.5

Уязвимость компонента entropy системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-27

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-59148

BDU:2025-14771

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с переполнением буфера в динамической памяти при обработке записей eve.alertи eve.drop, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-28Modified: 2025-12-03

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64330

BDU:2025-15125

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-12-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64344

BDU:2025-15195

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64333

BDU:2025-15197

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64331

BDU:2025-15198

HIGH7.5

Уязвимость конфигурации swf-decompression системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64332

BDU:2025-15199

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с разыменованием указателей, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64335

BDU:2025-15200

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с распределением ресурсов без ограничений и регулирования, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-64334

BDU:2026-06178

HIGH7.5

Уязвимость парсера dcerpc системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-05-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2026-31937

CVE-2025-53538

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

Published: 2025-07-22Modified: 2025-10-06

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-59147

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked. This issue is fixed in versions 7.0.12 and 8.0.1.

Published: 2025-10-01Modified: 2025-10-06

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

CVE-2025-59148

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. This issue is fixed in version 8.0.1. To workaround this issue, users can disable rules using the entropy keyword, or validate they are anchored to a sticky buffer.

Published: 2025-10-01Modified: 2025-10-06

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-59149

MEDIUM6.2

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In version 8.0.0, rules using keyword ldap.responses.attribute_type (which is long) with transforms can lead to a stack buffer overflow during Suricata startup or during a rule reload. This issue is fixed in version 8.0.1. To workaround this issue, users can disable rules with ldap.responses.attribute_type and transforms.

Published: 2025-10-01Modified: 2025-10-06

CVSS 3.xMEDIUM 6.2

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-59150

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rules using the tls.subjectaltname keyword.

Published: 2025-10-01Modified: 2025-10-23

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-64330

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled.

Published: 2025-11-26Modified: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-64331

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur on large HTTP file transfers if the user has increased the HTTP response body limit and enabled the logging of printable http bodies. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves using default HTTP response body limits and/or disabling http-body-printable logging; body logging is disabled by default.

Published: 2025-11-26Modified: 2025-12-08

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/OISF/suricata/security/advisories/GHSA-v32w-j79x-pfj2

CVE-2025-64332

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow that causes Suricata to crash can occur if SWF decompression is enabled. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling SWF decompression (swf-decompression in suricata.yaml), it is disabled by default; set decompress-depth to lower than half your stack size if swf-decompression must be enabled.

Published: 2025-11-26Modified: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-64333

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a large HTTP content type, when logged can cause a stack overflow crashing Suricata. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves limiting stream.reassembly.depth to less then half the stack size. Increasing the process stack size makes it less likely the bug will trigger.

Published: 2025-11-26Modified: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/OISF/suricata/security/advisories/GHSA-537h-xxmx-v87m

CVE-2025-64334

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, compressed HTTP data can lead to unbounded memory growth during decompression. This issue has been patched in version 8.0.2. A workaround involves disabling LZMA decompression or limiting response-body-limit size.

Published: 2025-11-26Modified: 2025-12-05

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-64335

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.

Published: 2025-11-26Modified: 2025-12-12

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2025-64344

HIGH7.5

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.

Published: 2025-11-26Modified: 2025-12-03

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-31937

HIGH7.5

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

Published: 2026-04-02Modified: 2026-04-07

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Package update suricata in branch c10f2

Closed issues (26)

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с разыменованием указателей, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента ldap.responsions.attribute_type системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость компонента entropy системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость конфигурации swf-decompression системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с разыменованием указателей, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость парсера dcerpc системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

Closed bugs (1)

fix logrotate issue: skipping "/var/log/suricata/*.log"