cbcvebase.

Oisf Suricata vulnerabilities

85 known vulnerabilities affecting oisf/suricata.

Total CVEs
85
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL12HIGH58MEDIUM15

Vulnerabilities

Page 1 of 5
CVE-2018-18956P2HIGHCVSS 7.5Exploited≥ 0, < 1:4.0.6-12018-11-05
CVE-2018-18956 [HIGH] CVE-2018-18956: The ProcessMimeEntity function in util-decode-mime The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018.
osv
CVE-2018-6794P3MEDIUMCVSS 5.3PoC≥ 0, < 1:4.0.4-12018-02-07
CVE-2018-6794 [MEDIUM] CVE-2018-6794: Suricata before 4 Suricata before 4.0.4 is prone to an HTTP detection bypass vulnerability in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP flow and sends data before the 3-way handshake is complete, then the data sent by the malicious server will be accepted by web clients such as a web browser or Linux CLI utilities, but ignored by Suricata IDS signatures. This mostly affects IDS signatures for the HTTP protocol and TCP stream conten
osv
CVE-2015-8954P3CRITICALCVSS 9.8≥ 0, < 2.0.6-12017-03-20
CVE-2015-8954 [CRITICAL] CVE-2015-8954: The MemcmpLowercase function in Suricata before 2 The MemcmpLowercase function in Suricata before 2.0.6 improperly excludes the first byte from comparisons, which might allow remote attackers to bypass intrusion-prevention functionality via a crafted HTTP request.
osv
CVE-2026-22262P3CRITICALCVSS 9.8fixed in 7.0.14≥ 8.0.0, < 8.0.3+1 more2026-01-27
CVE-2026-22262 [CRITICAL] CWE-121 CVE-2026-22262: Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prep Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options.
nvdosv
CVE-2023-35853P3CRITICALCVSS 9.8fixed in 6.0.132023-06-19
CVE-2023-35853 [CRITICAL] CWE-94 CVE-2023-35853: In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.
nvdosv
CVE-2021-37592P3CRITICALCVSS 9.8fixed in 5.0.8≥ 6.0.0, < 6.0.42021-11-19
CVE-2021-37592 [CRITICAL] CWE-787 CVE-2021-37592: Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP sta Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
nvdosv
CVE-2026-22264P3CRITICALCVSS 9.1fixed in 7.0.14≥ 8.0.0, < 8.0.3+1 more2026-01-27
CVE-2026-22264 [CRITICAL] CWE-416 CVE-2026-22264: Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned intege Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures
nvdosv
CVE-2018-10243P3CRITICALCVSS 9.8≥ 0, < 1:4.0.0-12019-04-04
CVE-2018-10243 [CRITICAL] CVE-2018-10243: htp_parse_authorization_digest in htp_parsers htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allows remote attackers to cause a heap-based buffer over-read via an authorization digest header.
osv
CVE-2019-18792P3CRITICALCVSS 9.1≥ 4.1.5, < 4.1.6v5.0.02020-01-06
CVE-2019-18792 [CRITICAL] CWE-436 CVE-2019-18792: An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the seque
nvdosv
CVE-2019-16411P3CRITICALCVSS 9.8≥ 0, < 1:4.1.5-12019-09-24
CVE-2019-16411 [CRITICAL] CVE-2019-16411: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len data + 3)" places one beyond the 3 bytes, because the code should have been "flag = *(o->data + 1)" instead.
osv
CVE-2024-23839P3HIGHCVSS 8.1≥ 7.0.0, < 7.0.3v>= 7.0.0, < 7.0.32024-02-26
CVE-2024-23839 [HIGH] CWE-416 CVE-2024-23839: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. The vulnerability has been patched in 7.0.3. To work around the vulnerability, avoid
nvdosv
CVE-2021-45098P3HIGHCVSS 7.5fixed in 6.0.42021-12-16
CVE-2021-45098 [HIGH] CVE-2021-45098: An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based sign An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden
nvdosv
CVE-2019-16410P3CRITICALCVSS 9.1≥ 0, < 1:4.1.5-12019-09-24
CVE-2019-16410 [CRITICAL] CVE-2019-16410: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.
osv
CVE-2018-10244P3CRITICALCVSS 9.8v4.0.42019-04-04
CVE-2018-10244 [CRITICAL] CWE-190 CVE-2018-10244: Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/IP PDU. A malformed PDU can ca Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/IP PDU. A malformed PDU can cause the parsing code to read beyond the allocated data because DecodeENIPPDU in app-layer-enip-commmon.c has an integer overflow during a length check.
nvdosv
CVE-2025-59147P3HIGHCVSS 7.5fixed in 7.0.12v8.0.0+1 more2025-10-01
CVE-2025-59147 [HIGH] CWE-358 CVE-2025-59147: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fa
nvdosv
CVE-2025-29915P3HIGHCVSS 7.5fixed in 7.0.92025-04-10
CVE-2025-29915 [HIGH] CWE-347 CVE-2025-29915: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricat
nvdosv
CVE-2024-55629P3HIGHCVSS 7.5fixed in 7.0.82025-01-06
CVE-2024-55629 [HIGH] CWE-437 CVE-2024-55629: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow user
nvdosv
CVE-2026-22259P3HIGHCVSS 7.5fixed in 7.0.14≥ 8.0.0, < 8.0.3+1 more2026-01-27
CVE-2026-22259 [HIGH] CWE-400 CVE-2026-22259: Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain
nvdosv
CVE-2026-22258P3HIGHCVSS 7.5fixed in 7.0.14≥ 8.0.0, < 8.0.3+1 more2026-01-27
CVE-2026-22258 [HIGH] CWE-400 CVE-2026-22258: Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC tr Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configura
nvdosv
CVE-2020-19678P3HIGHCVSS 7.5v1.4.62023-04-06
CVE-2020-19678 [HIGH] CWE-22 CVE-2020-19678: Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
nvd
Oisf Suricata vulnerabilities | cvebase