cbcvebase.

Oisf Suricata vulnerabilities

85 known vulnerabilities affecting oisf/suricata.

Total CVEs
85
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL12HIGH58MEDIUM15

Vulnerabilities

Page 2 of 5
CVE-2024-55627P3HIGHCVSS 7.5fixed in 7.0.82025-01-06
CVE-2024-55627 [HIGH] CWE-122 CVE-2024-55627: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8.
nvdosv
CVE-2024-55605P3HIGHCVSS 7.5fixed in 7.0.82025-01-06
CVE-2024-55605 [HIGH] CWE-400 CVE-2024-55605: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricat
nvdosv
CVE-2024-37151P3HIGHCVSS 7.5≥ 6.0.0, < 6.0.20≥ 7.0.0, < 7.0.6+2 more2024-07-11
CVE-2024-37151 [HIGH] CWE-754 CVE-2024-37151: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the
nvdosv
CVE-2026-22260P3HIGHCVSS 7.5≥ 8.0.0, < 8.0.3v>= 8.0.0, < 8.0.32026-01-27
CVE-2026-22260 [HIGH] CWE-674 CVE-2026-22260: Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.
nvdosv
CVE-2024-32664P3HIGHCVSS 7.3≥ 6.0.0, < 6.0.19≥ 7.0.0, < 7.0.5+2 more2024-05-07
CVE-2024-32664 [HIGH] CWE-120 CVE-2024-32664: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option w
nvdosv
CVE-2025-64330P3HIGHCVSS 7.5fixed in 7.0.13≥ 8.0.0, < 8.0.2+1 more2025-11-26
CVE-2025-64330 [HIGH] CWE-122 CVE-2025-64330: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and
nvdosv
CVE-2025-64332P3HIGHCVSS 7.5fixed in 7.0.13≥ 8.0.0, < 8.0.2+1 more2025-11-26
CVE-2025-64332 [HIGH] CWE-121 CVE-2025-64332: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow that causes Suricata to crash can occur if SWF decompression is enabled. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involv
nvdosv
CVE-2025-64344P3HIGHCVSS 7.5fixed in 7.0.13≥ 8.0.0, < 8.0.2+1 more2025-11-26
CVE-2025-64344 [HIGH] CWE-121 CVE-2025-64344: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule pa
nvdosv
CVE-2025-64333P3HIGHCVSS 7.5fixed in 7.0.13≥ 8.0.0, < 8.0.2+1 more2025-11-26
CVE-2025-64333 [HIGH] CWE-121 CVE-2025-64333: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a large HTTP content type, when logged can cause a stack overflow crashing Suricata. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves li
nvdosv
CVE-2019-15699P3CRITICALCVSS 9.1≥ 0, < 1:4.1.5-12019-09-24
CVE-2019-15699 [CRITICAL] CVE-2019-15699: An issue was discovered in app-layer-ssl An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match the real length of the HSHelloExtensions part of the packet.
osv
CVE-2019-10053P3CRITICALCVSS 9.8≥ 0, < 1:4.1.4-12019-05-13
CVE-2019-10053 [CRITICAL] CVE-2019-10053: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.
osv
CVE-2024-23836P3HIGHCVSS 7.5fixed in 6.0.16≥ 7.0.0, < 7.0.3+1 more2024-02-26
CVE-2024-23836 [HIGH] CWE-770 CVE-2024-23836: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability i
nvdosv
CVE-2025-59148P3HIGHCVSS 7.5v8.0.0fixed in 8.0.12025-10-01
CVE-2025-59148 [HIGH] CWE-476 CVE-2025-59148: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. This issue is fixed in version 8.0.1. To workaround this issue, users can
nvd
CVE-2026-31933P3HIGHCVSS 7.5fixed in 7.0.15≥ 8.0.0, < 8.0.4+1 more2026-04-02
CVE-2026-31933 [HIGH] CWE-407 CVE-2026-31933: Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been patched in versions 7.0.15 and 8.0.4.
nvdosv
CVE-2025-64331P3HIGHCVSS 7.5fixed in 7.0.13≥ 8.0.0, < 8.0.2+1 more2025-11-26
CVE-2025-64331 [HIGH] CWE-121 CVE-2025-64331: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur on large HTTP file transfers if the user has increased the HTTP response body limit and enabled the logging of printable http bodies. This issue has been p
nvdosv
CVE-2026-31935P3HIGHCVSS 7.5fixed in 7.0.15≥ 8.0.0, < 8.0.4+1 more2026-04-02
CVE-2026-31935 [HIGH] CWE-400 CVE-2026-31935: Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4.
nvdosv
CVE-2019-18625P3HIGHCVSS 7.5v5.0.02020-01-06
CVE-2019-18625 [HIGH] CVE-2019-18625: An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature b An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and the FIN ACK packets because of the bad TCP Timestamp op
nvdosv
CVE-2023-35852P3HIGHCVSS 7.5fixed in 6.0.132023-06-19
CVE-2023-35852 [HIGH] CWE-22 CVE-2023-35852: In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a d In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules config
nvdosv
CVE-2025-53538P3HIGHCVSS 7.5fixed in 7.0.11v8.0.0+1 more2025-07-22
CVE-2025-53538 [HIGH] CWE-400 CVE-2025-53538: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parse
nvdosv
CVE-2026-31932P3HIGHCVSS 7.5fixed in 7.0.15≥ 8.0.0, < 8.0.4+1 more2026-04-02
CVE-2026-31932 [HIGH] CWE-407 CVE-2026-31932: Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in K Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
nvdosv
Oisf Suricata vulnerabilities | cvebase