Description
Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.
Published: 2026-01-27
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Use-After-Free in Suricata alert handling
Action: Apply Patch
AI Analysis

Impact

Suricata, a network intrusion detection and prevention engine, is vulnerable to a heap-use-after-free condition caused by an unsigned integer overflow during alert queue expansion. The flaw arises when a single packet triggers an excessive number of alerts, potentially leading to memory corruption, application crashes, and, in worse‐case scenarios, arbitrary code execution. The vulnerability is rooted in CWE‑416, a classic use‑after‑free weakness.

Affected Systems

The issue affects the OISF Suricata product, specifically all releases prior to version 8.0.3 and 7.0.14. The security advisory explicitly lists these vulnerable releases, and later patches address the overflow and heap misuse.

Risk and Exploitability

Suricata assigns a CVSS score of 7.4, indicating a high severity level, yet the EPSS score is reported as less than 1 percent, suggesting a very low probability of public exploitation at the time of assessment. The vulnerability is not present in CISA’s KEV catalog. The likely attack vector involves the delivery of crafted network traffic that triggers an overwhelming number of alerts within a single packet, especially when running untrusted or overly permissive rule sets. A workaround is to limit the number of active signatures that can match a single packet to fewer than 65536, thereby preventing the overflow scenario.

Generated by OpenCVE AI on April 18, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Suricata to version 8.0.3, 7.0.14, or later where the heap use‑after‑free issue is resolved.
  • If an upgrade is not immediately possible, limit the number of loaded signatures to under 65536 and avoid using untrusted rule sets that may generate excessive alerts per packet.
  • Reduce the rule set complexity or disable optional high‑volume rules that can trigger many alerts from a single packet.
  • Monitor alert rates for abnormal spikes and enforce limits on alerts per packet to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Wed, 28 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata

Tue, 27 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.
Title Suricata detect/alert: heap-use-after-free on alert queue expansion
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T14:02:38.233Z

Reserved: 2026-01-07T05:19:12.923Z

Link: CVE-2026-22264

cve-icon Vulnrichment

Updated: 2026-01-28T14:02:34.288Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T19:16:14.640

Modified: 2026-01-29T20:58:58.080

Link: CVE-2026-22264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses