CVE-2025-29916 — Allocation of Resources Without Limits or Throttling in Suricata

CWE-770 — Allocation of Resources Without Limits or Throttling4 documents4 sources

Severity

5.5MEDIUMNVD

CNA6.2

EPSS

0.1%

top 80.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oisf Suricata

Timeline

PublishedApr 10

Description

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5oisf/suricata< 7.0.9

▶NVDoisf/suricata< 7.0.9

▶Debianoisf/suricata< 1:7.0.9-1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Suricata datasets: ruleset declared settings can lead to resource starvation↗2025-04-10

▶

OSV

CVE-2025-29916: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine↗2025-04-10

▶

📋Vendor Advisories

Debian

CVE-2025-29916: suricata - Suricata is a network Intrusion Detection System, Intrusion Prevention System an...↗2025

▶