Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.
Published: 2026-01-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Patch
AI Analysis

Impact

Suricata, an open‑source network IDS, IPS, and NSM engine, contains a flaw whereby crafted DCERPC traffic can cause an unbounded buffer to expand, exhausting system memory and forcing the process to be killed. This weakness corresponds to CWE‑400 (uncontrolled resource consumption) and CWE‑770 (resource exhaustion), and the primary impact is a denial of service that interrupts network monitoring.

Affected Systems

Versions of Suricata older than 8.0.3 and 7.0.14 are affected. The vulnerability was demonstrated for DCERPC over UDP, and it is believed to also affect DCERPC over TCP and SMB when the stream.reassembly.depth option is left unlimited. In the default configuration, DCERPC/TCP is not vulnerable because the depth is capped at 1 MiB, whereas SMB defaults to unlimited, potentially exposing the system if left unchanged.

Risk and Exploitability

With a CVSS score of 7.5 the issue lies in the high‑severity range. The EPSS score is below 1 % and it is not listed in the CISA KEV catalog, indicating a relatively low likelihood of exploitation. Nonetheless, an attacker who can reliably send large, fragment‑based DCERPC messages—most reliably over UDP—can trigger memory exhaustion and cause Suricata to crash, resulting in a denial of service against the IDS system.

Generated by OpenCVE AI on April 18, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Suricata to version 8.0.3 or newer (or 7.0.14 or newer for 7.x users).
  • Disable the DCERPC parser for UDP traffic to eliminate the fragment‑buffering code path.
  • Configure stream.reassembly.depth to a reasonable limit, e.g., 1 MiB, for TCP and SMB streams to prevent unlimited buffering.

Generated by OpenCVE AI on April 18, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.
Title Suricata DCERPC: unbounded fragment buffering leads to memory exhaustion
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T18:28:38.707Z

Reserved: 2026-01-07T05:19:12.922Z

Link: CVE-2026-22258

cve-icon Vulnrichment

Updated: 2026-01-27T18:27:01.140Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:12.253

Modified: 2026-01-30T20:09:24.067

Link: CVE-2026-22258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses