Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default.
Published: 2026-01-27
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via resource exhaustion
Action: Patch
AI Analysis

Impact

Suricata processes XFF headers inefficiently when generating alerts outside an active transaction. This inefficiency can cause the engine to consume large amounts of CPU and memory, leading to dramatic performance degradation and potential denial of service. The flaw is classified as a resource exhaustion weakness (CWE‑1050).

Affected Systems

The vulnerability affects the OISF Suricata network IDS/IPS before version 8.0.3 and before 7.0.14. Users running these versions with XFF support enabled are susceptible. The default configuration disables XFF, but if enabled the system is exposed.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, and the EPSS score of less than 1% reflects a low likelihood of widespread exploitation. Suricata is not listed in the CISA KEV catalog. Exploitation would require traffic that triggers the slow alert path, so the attack vector is likely remote network traffic with XFF headers, with no known need for privileged access.

Generated by OpenCVE AI on April 18, 2026 at 02:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Suricata to version 8.0.3 or later, or 7.0.14 or later.
  • As a temporary measure, disable XFF support in the eve configuration; the setting is off by default.
  • Continuously monitor system performance and Suricata logs for abnormal CPU or memory usage, and apply the upgrade promptly.

Generated by OpenCVE AI on April 18, 2026 at 02:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata

Wed, 28 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 27 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default.
Title Suricata eve/alert: http1 xff handling can lead to denial of service
Weaknesses CWE-1050
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T18:24:24.317Z

Reserved: 2026-01-07T05:19:12.923Z

Link: CVE-2026-22261

cve-icon Vulnrichment

Updated: 2026-01-27T18:24:17.079Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T19:16:14.173

Modified: 2026-01-29T21:02:34.583

Link: CVE-2026-22261

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-27T18:10:27Z

Links: CVE-2026-22261 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses