Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via performance degradation
Action: Patch
AI Analysis

Impact

Suricata, a network IDS/IPS, contains an inefficiency in its Kerberos5 buffering routine that can grow quadratically with the amount of traffic. An attacker who can force the IDS to process large volumes of Kerberos traffic can cause the system to slow dramatically or become overwhelmed, leading to a denial of legitimate network traffic. The flaw is a classic resource exhaustion problem, categorized as CWE‑407 and CWE‑770. No arbitrary code execution is possible.

Affected Systems

The vulnerability affects the OISF Suricata product. All releases before 7.0.15 and 8.0.4 are impacted. Versions 7.0.15 and above, as well as 8.0.4 and later, contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1 % suggests that exploitation is not yet common, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote: an adversary can send crafted Kerberos packets into the network to trigger the quadratic buffering behavior. Because the issue is purely an efficiency bug, an attacker can only degrade performance rather than gain direct access to the system.

Generated by OpenCVE AI on April 7, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Suricata to version 7.0.15 or newer, or 8.0.4 or newer
  • Monitor system performance for signs of degradation

Generated by OpenCVE AI on April 7, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
Title Suricata krb5: quadratic complexity in krb5 buffering
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:33:25.016Z

Reserved: 2026-03-10T15:10:10.654Z

Link: CVE-2026-31932

cve-icon Vulnrichment

Updated: 2026-04-02T18:33:14.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:28.763

Modified: 2026-04-07T18:29:05.083

Link: CVE-2026-31932

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T14:02:40Z

Links: CVE-2026-31932 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:24Z

Weaknesses