CVE-2026-22260Uncontrolled Recursion in Suricata

CWE-674Uncontrolled RecursionCWE-787Out-of-bounds Write5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 94.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Oisf Suricata
Timeline
PublishedJan 27

Description

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDoisf/suricata8.0.08.0.3
Debianoisf/suricata< 1:8.0.3-1
CVEListV5oisf/suricata>= 8.0.0, < 8.0.3

Patches

Patch: github.com

🔴Vulnerability Details

2
CVEList
Suricata http1: infinite recursion in decompression2026-01-27
OSV
CVE-2026-22260: Suricata is a network IDS, IPS and NSM engine2026-01-27

📋Vendor Advisories

1
Debian
CVE-2026-22260: suricata - Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and pri...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-22260 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-22260 — Uncontrolled Recursion in Suricata | cvebase