{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22261", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.923Z", "datePublished": "2026-01-27T18:10:27.881Z", "dateUpdated": "2026-01-27T18:24:24.317Z"}, "containers": {"cna": {"title": "Suricata eve/alert: http1 xff handling can lead to denial of service", "problemTypes": [{"descriptions": [{"cweId": "CWE-1050", "lang": "en", "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf"}, {"name": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44"}, {"name": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8156", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8156"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": "< 7.0.14", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:10:27.881Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default."}], "source": {"advisory": "GHSA-5jvg-5j3p-34cf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:24:03.406014Z", "id": "CVE-2026-22261", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:24:24.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:24:03.406014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:24:17.079Z"}}], "cna": {"title": "Suricata eve/alert: http1 xff handling can lead to denial of service", "source": {"advisory": "GHSA-5jvg-5j3p-34cf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": "< 7.0.14"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44", "name": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667", "name": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667", "tags": ["x_refsource_MISC"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8156", "name": "https://redmine.openinfosecfoundation.org/issues/8156", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1050", "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:10:27.881Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22261", "state": "PUBLISHED", "dateUpdated": "2026-01-27T18:24:24.317Z", "dateReserved": "2026-01-07T05:19:12.923Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T18:10:27.881Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D", "versionEndExcluding": "7.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default."}], "id": "CVE-2026-22261", "lastModified": "2026-01-29T21:02:34.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T19:16:14.173", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8156"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1050"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "suricata: Suricata: Denial of Service due to XFF handling inefficiencies", "id": "2433482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433482"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1050", "details": ["A flaw was found in Suricata, a network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. Various inefficiencies in its eXtended Forwarded For (XFF) handling, particularly for alerts not triggered in a transaction, can lead to severe slowdowns. This vulnerability could allow a remote attacker to cause a Denial of Service by sending specially crafted network traffic."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that XFF support is disabled in the Suricata eve configuration. This setting is disabled by default, so no action is required unless it has been explicitly enabled. If XFF support has been enabled, it can be disabled in the Suricata configuration file. A service restart may be required for changes to take effect."}, "name": "CVE-2026-22261", "public_date": "2026-01-27T18:10:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22261\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22261\nhttps://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44\nhttps://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667\nhttps://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf\nhttps://redmine.openinfosecfoundation.org/issues/8156"], "statement": "This is a LOW impact denial of service vulnerability in Suricata's XFF handling. Red Hat products shipping Suricata are not affected by default, as XFF support is disabled by default in the eve configuration. Exploitation would require an administrator to explicitly enable XFF support.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:00:54.327969+00:00", "value": {"mitigation_remediation": ["Upgrade Suricata to version 8.0.3 or later, or 7.0.14 or later.", "As a temporary measure, disable XFF support in the eve configuration; the setting is off by default.", "Continuously monitor system performance and Suricata logs for abnormal CPU or memory usage, and apply the upgrade promptly."], "summary": {"action": "Patch", "impact": "Denial of Service via resource exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OISF Suricata network IDS/IPS before version 8.0.3 and before 7.0.14. Users running these versions with XFF support enabled are susceptible. The default configuration disables XFF, but if enabled the system is exposed.", "description_and_impact": "Suricata processes XFF headers inefficiently when generating alerts outside an active transaction. This inefficiency can cause the engine to consume large amounts of CPU and memory, leading to dramatic performance degradation and potential denial of service. The flaw is classified as a resource exhaustion weakness (CWE\u20111050).", "risk_and_exploitability": "The CVSS score of 3.7 indicates moderate severity, and the EPSS score of less than 1% reflects a low likelihood of widespread exploitation. Suricata is not listed in the CISA KEV catalog. Exploitation would require traffic that triggers the slow alert path, so the attack vector is likely remote network traffic with XFF headers, with no known need for privileged access."}}}}, "created": "2026-01-28T12:21:52.511563+00:00", "updated": "2026-04-18T02:15:05.877279+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}