{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22260", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.922Z", "datePublished": "2026-01-27T17:30:39.582Z", "dateUpdated": "2026-01-27T17:57:27.806Z"}, "containers": {"cna": {"title": "Suricata http1: infinite recursion in decompression", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22"}, {"name": "https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8185", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8185"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": ">= 8.0.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T17:30:39.582Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`."}], "source": {"advisory": "GHSA-3gm8-84cm-5x22", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T17:54:58.023755Z", "id": "CVE-2026-22260", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:57:27.806Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T17:54:58.023755Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:57:07.945Z"}}], "cna": {"title": "Suricata http1: infinite recursion in decompression", "source": {"advisory": "GHSA-3gm8-84cm-5x22", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": ">= 8.0.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185", "name": "https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185", "tags": ["x_refsource_MISC"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8185", "name": "https://redmine.openinfosecfoundation.org/issues/8185", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T17:30:39.582Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22260", "state": "PUBLISHED", "dateUpdated": "2026-01-27T17:57:27.806Z", "dateReserved": "2026-01-07T05:19:12.922Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T17:30:39.582Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`."}], "id": "CVE-2026-22260", "lastModified": "2026-01-29T21:03:54.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-27T18:15:55.383", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8185"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:46:14.963314+00:00", "value": {"mitigation_remediation": ["Upgrade Suricata to version\u202f8.0.3 or later to apply the stack\u2011overflow fix.", "If an upgrade is temporarily infeasible, configure Suricata to use the default request\u2011body\u2011limit and response\u2011body\u2011limit settings, which prevent the decompression routine from receiving oversized payloads that trigger the recursion.", "Place Suricata behind a firewall or reverse proxy that filters or limits HTTP traffic to reduce the chance of malicious requests reaching the engine."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "OISF Suricata network IDS/IPS versions 8.0.0 through 8.0.2. The problem exists in all builds covering the http1 module during decompression, and the fix was applied in release 8.0.3.", "description_and_impact": "The flaw is an infinite recursion triggered during HTTP decompression, causing a stack overflow that crashes Suricata. As the CVE description does not specify the exact input that triggers the recursion, it is inferred that malformed or specially crafted HTTP traffic could invoke the recursive decompression path, leading to an application crash and denial of service. The issue is rooted in unchecked recursion (CWE\u2011674) and memory overwrite (CWE\u2011787).", "risk_and_exploitability": "The CVSS rating of 7.5 indicates a high severity level for this vulnerability. The EPSS score of <\u202f1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The CVE statement does not detail the attack vector, so the specific conditions under which the recursion can be triggered remain unspecified."}}}}, "created": "2026-01-28T12:22:44.028639+00:00", "updated": "2026-04-18T15:00:03.433301+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}