ALT-PU-2026-2048-2

BDU:2026-00952

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с неконтролируемой рекурсией, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-29Modified: 2026-03-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2026-22260

BDU:2026-00953

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-29Modified: 2026-03-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2026-22259

BDU:2026-00954

HIGH7.5

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с чрезмерной загрузкой центрально процессора, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-29Modified: 2026-03-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2026-22263

BDU:2026-00955

HIGH7.5

Уязвимость реализации протокола DCERPC системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-29Modified: 2026-03-04

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2026-22258

BDU:2026-00956

CRITICAL9.8

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с переполнением буфера в стеке, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-29Modified: 2026-03-04

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2026-22262

BDU:2026-00963

MEDIUM5.3

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с чрезмерной загрузкой центрально процессора, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-30Modified: 2026-03-04

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2026-22261

BDU:2026-01034

CRITICAL9.1

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-01-30Modified: 2026-03-04

CVSS 3.xCRITICAL 9.1

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS 2.0CRITICAL 9.4

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:C

References

CVE-2026-22264

CVE-2026-22258

HIGH7.5

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.

Published: 2026-01-27Modified: 2026-01-30

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-22259

HIGH7.5

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default).

Published: 2026-01-27Modified: 2026-01-30

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-22260

HIGH7.5

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.

Published: 2026-01-27Modified: 2026-01-29

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-22261

MEDIUM5.3

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default.

Published: 2026-01-27Modified: 2026-01-29

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

CVE-2026-22262

CRITICAL9.8

Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options.

Published: 2026-01-27Modified: 2026-01-29

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2026-22263

MEDIUM5.3

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.

Published: 2026-01-27Modified: 2026-01-29

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

CVE-2026-22264

CRITICAL9.1

Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.

Published: 2026-01-27Modified: 2026-01-29

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Package update suricata in branch p11

Closed issues (14)

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с неконтролируемой рекурсией, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость реализации протокола DCERPC системы обнаружения и предотвращения вторжений Suricata, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость системы обнаружения и предотвращения вторжений Suricata, связанная с переполнением буфера в стеке, позволяющая нарушителю вызвать отказ в обслуживании

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.