{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22258", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.922Z", "datePublished": "2026-01-27T16:17:29.903Z", "dateUpdated": "2026-01-27T18:28:38.707Z"}, "containers": {"cna": {"title": "Suricata DCERPC: unbounded fragment buffering leads to memory exhaustion", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx"}, {"name": "https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74"}, {"name": "https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8182", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8182"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": "< 7.0.14", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T16:17:29.903Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB."}], "source": {"advisory": "GHSA-289c-h599-3xcx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:26:50.259731Z", "id": "CVE-2026-22258", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:28:38.707Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22258", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:26:50.259731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:27:01.140Z"}}], "cna": {"title": "Suricata DCERPC: unbounded fragment buffering leads to memory exhaustion", "source": {"advisory": "GHSA-289c-h599-3xcx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": "< 7.0.14"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74", "name": "https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830", "name": "https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830", "tags": ["x_refsource_MISC"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8182", "name": "https://redmine.openinfosecfoundation.org/issues/8182", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T16:17:29.903Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22258", "state": "PUBLISHED", "dateUpdated": "2026-01-27T18:28:38.707Z", "dateReserved": "2026-01-07T05:19:12.922Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T16:17:29.903Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D", "versionEndExcluding": "7.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB."}], "id": "CVE-2026-22258", "lastModified": "2026-01-30T20:09:24.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-27T17:16:12.253", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8182"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:47:37.108854+00:00", "value": {"mitigation_remediation": ["Upgrade Suricata to version 8.0.3 or newer (or 7.0.14 or newer for 7.x users).", "Disable the DCERPC parser for UDP traffic to eliminate the fragment\u2011buffering code path.", "Configure stream.reassembly.depth to a reasonable limit, e.g., 1\u202fMiB, for TCP and SMB streams to prevent unlimited buffering."], "summary": {"action": "Patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "Versions of Suricata older than 8.0.3 and 7.0.14 are affected. The vulnerability was demonstrated for DCERPC over UDP, and it is believed to also affect DCERPC over TCP and SMB when the stream.reassembly.depth option is left unlimited. In the default configuration, DCERPC/TCP is not vulnerable because the depth is capped at 1\u202fMiB, whereas SMB defaults to unlimited, potentially exposing the system if left unchanged.", "description_and_impact": "Suricata, an open\u2011source network IDS, IPS, and NSM engine, contains a flaw whereby crafted DCERPC traffic can cause an unbounded buffer to expand, exhausting system memory and forcing the process to be killed. This weakness corresponds to CWE\u2011400 (uncontrolled resource consumption) and CWE\u2011770 (resource exhaustion), and the primary impact is a denial of service that interrupts network monitoring.", "risk_and_exploitability": "With a CVSS score of 7.5 the issue lies in the high\u2011severity range. The EPSS score is below 1\u202f% and it is not listed in the CISA KEV catalog, indicating a relatively low likelihood of exploitation. Nonetheless, an attacker who can reliably send large, fragment\u2011based DCERPC messages\u2014most reliably over UDP\u2014can trigger memory exhaustion and cause Suricata to crash, resulting in a denial of service against the IDS system."}}}}, "created": "2026-01-27T20:16:46.162361+00:00", "updated": "2026-04-18T15:00:03.436585+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}