Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default).
Published: 2026-01-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

Suricata's DNP3 parsing routine is vulnerable to an unbounded transaction growth issue where a specially crafted packet sequence can consume excessive memory during parsing. The excessive memory consumption can slow the process and eventually trigger the operating system's out-of-memory killer, causing the Suricata instance to terminate, thereby denying the availability of network monitoring services.

Affected Systems

The vulnerability affects OISF Suricata releases prior to version 8.0.3 and 7.0.14. Any instance running Suricata 7.x older than 7.0.14 or 8.x older than 8.0.3 is at risk.

Risk and Exploitability

The CVSS v3 score of 7.5 indicates high severity while the EPSS score of less than 1% reflects a very low exploitation probability. The issue is not listed in CISA's KEV catalog. Exploitation requires network visibility; a threat actor can send crafted DNP3 packets to a vulnerable Suricata instance, escalating memory usage without authentication or privileged access.

Generated by OpenCVE AI on April 18, 2026 at 02:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Suricata to version 8.0.3 or newer, or 7.0.14 or newer.
  • If an immediate upgrade is not possible, disable the DNP3 parser in the suricata.yaml configuration file.
  • Consider blocking DNP3 traffic at the network perimeter until the service can be patched or the parser is disabled.

Generated by OpenCVE AI on April 18, 2026 at 02:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default).
Title Suricata dnp3: unbounded transaction growth
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T18:16:55.422Z

Reserved: 2026-01-07T05:19:12.922Z

Link: CVE-2026-22259

cve-icon Vulnrichment

Updated: 2026-01-27T18:16:50.763Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:12.407

Modified: 2026-01-30T20:01:49.137

Link: CVE-2026-22259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses