cbcvebase.

Oisf Suricata vulnerabilities

85 known vulnerabilities affecting oisf/suricata.

Total CVEs
85
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL12HIGH58MEDIUM15

Vulnerabilities

Page 4 of 5
CVE-2024-38536P3HIGHCVSS 7.5fixed in 7.0.62024-07-11
CVE-2024-38536 [HIGH] CWE-476 CVE-2024-38536: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
nvdosv
CVE-2018-10242P3HIGHCVSS 7.5v4.0.42019-04-04
CVE-2018-10242 [HIGH] CWE-125 CVE-2018-10242: Suricata version 4.0.4 incorrectly handles the parsing of the SSH banner. A malformed SSH banner can Suricata version 4.0.4 incorrectly handles the parsing of the SSH banner. A malformed SSH banner can cause the parsing code to read beyond the allocated data because SSHParseBanner in app-layer-ssh.c lacks a length check.
nvdosv
CVE-2019-1010279P3HIGHCVSS 7.5fixed in 4.1.32019-07-18
CVE-2019-1010279 [HIGH] CWE-347 CVE-2019-1010279: Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Servi Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65f
nvdosv
CVE-2024-55628P3HIGHCVSS 7.5fixed in 7.0.82025-01-06
CVE-2024-55628 [HIGH] CWE-405 CVE-2024-55628: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too
nvdosv
CVE-2019-10051P3HIGHCVSS 7.5≥ 0, < 1:4.1.4-12019-08-28
CVE-2019-10051 [HIGH] CVE-2019-10051: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.
osv
CVE-2017-15377P3HIGHCVSS 7.5≥ 0, < 1:4.0.0-12017-10-23
CVE-2017-15377 [HIGH] CVE-2017-15377: In Suricata before 4 In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine doesn't stop when it should after no match is found; instead, it stops only upon reaching inspection-recursion-limit (3000 by default).
osv
CVE-2019-10054P3HIGHCVSS 7.5≥ 0, < 1:4.1.4-12019-08-28
CVE-2019-10054 [HIGH] CVE-2019-10054: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.
osv
CVE-2019-10056P3HIGHCVSS 7.5≥ 0, < 1:4.1.4-12019-08-28
CVE-2019-10056 [HIGH] CVE-2019-10056: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is workin
osv
CVE-2019-10055P3HIGHCVSS 7.5≥ 0, < 1:4.1.4-12019-08-28
CVE-2019-10055 [HIGH] CVE-2019-10055: An issue was discovered in Suricata 4 An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.
osv
CVE-2015-0928P4HIGHCVSS 7.5≥ 0, < 2.0.7-12017-08-28
CVE-2015-0928 [HIGH] CVE-2015-0928: libhtp 0 libhtp 0.5.15 allows remote attackers to cause a denial of service (NULL pointer dereference).
osv
CVE-2017-7177P4HIGHCVSS 7.5≥ 0, < 3.2.1-12017-03-18
CVE-2017-7177 [HIGH] CVE-2017-7177: Suricata before 3 Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by lack of a check for the IP protocol during fragment matching.
osv
CVE-2024-32867P4MEDIUMCVSS 5.3≥ 6.0.0, < 6.0.19≥ 7.0.0, < 7.0.5+2 more2024-05-07
CVE-2024-32867 [MEDIUM] CWE-754 CVE-2024-32867: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.
nvdosv
CVE-2024-24568P4MEDIUMCVSS 5.3≥ 7.0.0, < 7.0.3v>= 7.0.0, < 7.0.32024-02-26
CVE-2024-24568 [MEDIUM] CWE-284 CVE-2024-24568: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.3, the rules inspecting HTTP2 headers can get bypassed by crafted traffic. The vulnerability has been patched in 7.0.3.
nvdosv
CVE-2026-22263P4MEDIUMCVSS 5.3≥ 8.0.0, < 8.0.3v>= 8.0.0, < 8.0.32026-01-27
CVE-2026-22263 [MEDIUM] CWE-1050 CVE-2026-22263: Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.
nvdosv
CVE-2026-22261P4MEDIUMCVSS 5.3fixed in 7.0.14≥ 8.0.0, < 8.0.3+1 more2026-01-27
CVE-2026-22261 [MEDIUM] CWE-1050 CVE-2026-22261: Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficie Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default.
nvdosv
CVE-2025-59149P4MEDIUMCVSS 6.2v8.0.0v>= 8.0.0, < 8.0.12025-10-01
CVE-2025-59149 [MEDIUM] CWE-121 CVE-2025-59149: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Found Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In version 8.0.0, rules using keyword ldap.responses.attribute_type (which is long) with transforms can lead to a stack buffer overflow during Suricata startup or during a rule reload. This issue is fixed in version
nvd
CVE-2016-10728P4MEDIUMCVSS 5.3≥ 0, < 3.1.2-12018-07-23
CVE-2016-10728 [MEDIUM] CVE-2016-10728: An issue was discovered in Suricata before 3 An issue was discovered in Suricata before 3.1.2. If an ICMPv4 error packet is received as the first packet on a flow in the to_client direction, it confuses the rule grouping lookup logic. The toclient inspection will then continue with the wrong rule group. This can lead to missed detection.
osv
CVE-2024-45796P4MEDIUMCVSS 5.3fixed in 7.0.72024-10-16
CVE-2024-45796 [MEDIUM] CWE-193 CVE-2024-45796: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7.
nvdosv
CVE-2014-6603P4MEDIUMCVSS 5.0≥ 0, < 2.0.4-12014-10-07
CVE-2014-6603 [MEDIUM] CVE-2014-6603: The SSHParseBanner function in SSH parser (app-layer-ssh The SSHParseBanner function in SSH parser (app-layer-ssh.c) in Suricata before 2.0.4 allows remote attackers to bypass SSH rules, cause a denial of service (crash), or possibly have unspecified other impact via a crafted banner, which triggers a large memory allocation or an out-of-bounds write.
osv
CVE-2025-29918P4MEDIUMCVSS 5.5fixed in 7.0.92025-04-10
CVE-2025-29918 [MEDIUM] CWE-835 CVE-2025-29918: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security M Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9.
nvdosv
Oisf Suricata vulnerabilities | cvebase