Description
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (crash)
Action: Apply Patch
AI Analysis

Impact

A null pointer dereference occurs when the tls.alpn rule keyword is used in Suricata versions 8.0.0 through 8.0.3. The bug causes the IDS/IPS engine to crash, resulting in a denial of service that can disable traffic inspection and alerting.

Affected Systems

Affected systems are the OISF Suricata network monitoring platform versions 8.0.0 to 8.0.3 inclusive. The vulnerability applies to any deployment that uses the tls.alpn keyword in its rule set. Users of later releases, such as 8.0.4 and beyond, are not impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The bug is not listed in the CISA KEV catalog. Likely attack vectors require a Suricata instance processing a TLS handshake that includes the ALPN field set to a value that triggers the crash. The flaw is exploitable by any network entity that can send such traffic to the monitored hosts, though only a misconfigured or malicious source would typically target it.

Generated by OpenCVE AI on April 7, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Suricata 8.0.4 or later.
  • If upgrade cannot be performed immediately, remove or comment out rules that use the tls.alpn keyword to prevent the crash.
  • Verify the running instance is on a patched version by checking the output of suricata -V or consulting the package manager.

Generated by OpenCVE AI on April 7, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
Title Suricata tls: null dereference in tls.alpn rule keyword
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T14:18:27.902Z

Reserved: 2026-03-10T15:10:10.653Z

Link: CVE-2026-31931

cve-icon Vulnrichment

Updated: 2026-04-02T14:18:19.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:28.587

Modified: 2026-04-07T18:28:33.437

Link: CVE-2026-31931

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T14:01:03Z

Links: CVE-2026-31931 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:25Z

Weaknesses