Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from quadratic complexity in the Kerberos 5 buffering subsystem within Suricata. The flaw allows an attacker to trigger excessive memory consumption and sluggishness when the engine processes Kerberos traffic, potentially leading to a denial of service. It is classified under CWE‑407 (Improper Resource Management) and CWE‑770 (Memory Allocation).

Affected Systems

Affected deployments are those running Suricata versions earlier than 7.0.15 or 8.0.4. The vendor OISF has released patches in those two releases. Any installation using Suricata 7.0.0‑7.0.14 or 8.0.0‑8.0.3 is susceptible.

Risk and Exploitability

The CVSS score of 7.5 denotes a high severity. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Nevertheless, the attack vector is inferred to be remote via crafted Kerberos packets that can be sent over the network, exploiting the quadratic buffering path when it is actively parsing traffic. The risk is therefore a remote denial of service that could degrade or halt network monitoring services if the attacker can sustain a high volume of malicious traffic.

Generated by OpenCVE AI on April 3, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Suricata to version 7.0.15 or later, including 8.0.4 or newer
  • If the software cannot be upgraded immediately, monitor traffic for unusually high Kerberos packet rates and limit or filter such traffic to prevent resource exhaustion

Generated by OpenCVE AI on April 3, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Oisf
Oisf suricata
Vendors & Products Oisf
Oisf suricata
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
Title Suricata krb5: quadratic complexity in krb5 buffering
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oisf Suricata
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:33:25.016Z

Reserved: 2026-03-10T15:10:10.654Z

Link: CVE-2026-31932

cve-icon Vulnrichment

Updated: 2026-04-02T18:33:14.922Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T14:16:28.763

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-31932

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T14:02:40Z

Links: CVE-2026-31932 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:45Z

Weaknesses