Oisf Suricata vulnerabilities

CVE-2025-59147 [HIGH] CWE-358 CVE-2025-59147: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fa

CVE-2025-59148 [HIGH] CWE-476 CVE-2025-59148: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. This issue is fixed in version 8.0.1. To workaround this issue, users can

CVE-2025-59150 [HIGH] CWE-476 CVE-2025-59150: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rul

CVE-2025-59149 [MEDIUM] CWE-121 CVE-2025-59149: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In version 8.0.0, rules using keyword ldap.responses.attribute_type (which is long) with transforms can lead to a stack buffer overflow during Suricata startup or during a rule reload. This issue is fixed in version

CVE-2025-53538 [HIGH] CWE-400 CVE-2025-53538: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parse

CVE-2025-29915 [HIGH] CWE-347 CVE-2025-29915: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricat

CVE-2025-29917 [MEDIUM] CWE-770 CVE-2025-29917: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations of up to 4 GiB per thread. This vulnerability is fixed in 7.0.9.

CVE-2025-29918 [MEDIUM] CWE-835 CVE-2025-29918: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9.

CVE-2025-29916 [MEDIUM] CWE-770 CVE-2025-29916: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leadin

CVE-2024-55628 [HIGH] CWE-405 CVE-2024-55628: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too

CVE-2024-55627 [HIGH] CWE-122 CVE-2024-55627: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8.

CVE-2024-55629 [HIGH] CWE-437 CVE-2024-55629: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow user

CVE-2024-55605 [HIGH] CWE-400 CVE-2024-55605: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricat

CVE-2024-55626 [MEDIUM] CWE-680 CVE-2024-55626: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8.

CVE-2024-47188 [HIGH] CWE-330 CVE-2024-47188: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to

CVE-2024-45795 [HIGH] CWE-617 CVE-2024-45795: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use o

CVE-2024-47187 [HIGH] CWE-330 CVE-2024-47187: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance

CVE-2024-47522 [HIGH] CWE-617 CVE-2024-47522: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround.

CVE-2024-45796 [MEDIUM] CWE-193 CVE-2024-45796: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7.

CVE-2024-38534 [HIGH] CWE-770 CVE-2024-38534: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.