Oisf Suricata vulnerabilities
85 known vulnerabilities affecting oisf/suricata.
Total CVEs
85
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL12HIGH58MEDIUM15
Vulnerabilities
Page 3 of 5
CVE-2019-1010251P3HIGHCVSS 7.5v4.0.2v4.0.3+2 more2019-07-18
CVE-2019-1010251 [HIGH] CWE-20 CVE-2019-1010251: Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Servi
Open Information Security Foundation Suricata prior to version 4.1.2 is affected by: Denial of Service - DNS detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed network packet. The component is: app-layer-detect-proto.c, decode.c, decode-teredo.c and decode-ipv6.c (https://github.com/OISF/suricata/pul
nvdosv
CVE-2018-14568P3HIGHCVSS 7.5≥ 0, < 1:4.0.5-12018-07-23
CVE-2018-14568 [HIGH] CVE-2018-14568: Suricata before 4
Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server. This allows detection bypass because Windows TCP clients proceed with normal processing of TCP data that arrives shortly after an RST (i.e., they act as if the RST had not yet been received).
osv
CVE-2024-38535P3HIGHCVSS 7.5fixed in 6.0.20≥ 7.0.0, < 7.0.6+1 more2024-07-11
CVE-2024-38535 [HIGH] CWE-770 CVE-2024-38535: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.
nvdosv
CVE-2024-38534P3HIGHCVSS 7.5fixed in 7.0.62024-07-11
CVE-2024-38534 [HIGH] CWE-770 CVE-2024-38534: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
nvdosv
CVE-2024-28870P3HIGHCVSS 7.5fixed in 6.0.17≥ 7.0.0, < 7.0.4+2 more2024-04-03
CVE-2024-28870 [HIGH] CWE-770 CVE-2024-28870: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.
nvdosv
CVE-2026-31931P3HIGHCVSS 7.5≥ 8.0.0, < 8.0.4v>= 8.0.0, < 8.0.42026-04-02
CVE-2026-31931 [HIGH] CWE-476 CVE-2026-31931: Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of th
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
nvdosv
CVE-2026-31937P3HIGHCVSS 7.5fixed in 7.0.152026-04-02
CVE-2026-31937 [HIGH] CWE-407 CVE-2026-31937: Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffe
Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.
nvdosv
CVE-2024-47188P3HIGHCVSS 7.5fixed in 7.0.72024-10-16
CVE-2024-47188 [HIGH] CWE-330 CVE-2024-47188: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to
nvdosv
CVE-2019-10052P3HIGHCVSS 7.5≥ 0, < 1:4.1.4-12019-08-28
CVE-2019-10052 [HIGH] CVE-2019-10052: An issue was discovered in Suricata 4
An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to access a part of a DHCP packet. At this point, the Rust environment runs into a panic in parse_clientid_option in the dhcp/parser.rs file.
osv
CVE-2021-35063P3HIGHCVSS 7.5fixed in 5.0.7≥ 6.0.0, < 6.0.32021-07-22
CVE-2021-35063 [HIGH] CVE-2021-35063: Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."
Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."
nvdosv
CVE-2024-32663P3HIGHCVSS 7.5≥ 6.0.0, < 6.0.19≥ 7.0.0, < 7.0.5+2 more2024-05-07
CVE-2024-32663 [HIGH] CWE-400 CVE-2024-32663: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `a
nvdosv
CVE-2024-23835P3HIGHCVSS 7.5≥ 7.0.0, < 7.0.3v>= 7.0.0, <= 7.0.22024-02-26
CVE-2024-23835 [HIGH] CWE-400 CVE-2024-23835: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround, users can disable the pgsql app layer parser.
nvdosv
CVE-2024-47522P3HIGHCVSS 7.5fixed in 7.0.72024-10-16
CVE-2024-47522 [HIGH] CWE-617 CVE-2024-47522: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround.
nvdosv
CVE-2024-45795P3HIGHCVSS 7.5fixed in 7.0.72024-10-16
CVE-2024-45795 [HIGH] CWE-617 CVE-2024-45795: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use o
nvdosv
CVE-2025-59150P3HIGHCVSS 7.5v8.0.0v>= 8.0.0, < 8.0.12025-10-01
CVE-2025-59150 [HIGH] CWE-476 CVE-2025-59150: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed in version 8.0.1. To workaround this issue, disable rul
nvd
CVE-2025-64335P3HIGHCVSS 7.5≥ 8.0.0, < 8.0.2v>= 8.0.0, < 8.0.22025-11-26
CVE-2025-64335 [HIGH] CWE-476 CVE-2025-64335: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules
nvdosv
CVE-2025-64334P3HIGHCVSS 7.5≥ 8.0.0, < 8.0.2v>= 8.0.0, < 8.0.22025-11-26
CVE-2025-64334 [HIGH] CWE-770 CVE-2025-64334: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, compressed HTTP data can lead to unbounded memory growth during decompression. This issue has been patched in version 8.0.2. A workaround involves disabling LZMA decompression or
nvdosv
CVE-2024-47187P3HIGHCVSS 7.5fixed in 7.0.72024-10-16
CVE-2024-47187 [HIGH] CWE-330 CVE-2024-47187: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance
nvdosv
CVE-2026-31934P3HIGHCVSS 7.5≥ 8.0.0, < 8.0.4v>= 8.0.0, < 8.0.42026-04-02
CVE-2026-31934 [HIGH] CWE-407 CVE-2026-31934: Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when searching for URLs in mime encoded messages over SMTP leading to a performance impact. This issue has been patched in version 8.0.4.
nvdosv
CVE-2019-10050P3HIGHCVSS 7.5≥ 4.0.0, < 4.1.42019-05-13
CVE-2019-10050 [HIGH] CWE-125 CVE-2019-10050: A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-m
A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. A
nvdosv