{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22262", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.923Z", "datePublished": "2026-01-27T18:18:52.922Z", "dateUpdated": "2026-01-27T19:30:42.782Z"}, "containers": {"cna": {"title": "Suricata datasets: stack overflow when saving a set", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86"}, {"name": "https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf"}, {"name": "https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1"}, {"name": "https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb"}, {"name": "https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521"}, {"name": "https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658"}, {"name": "https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8110", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8110"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": "< 7.0.14", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:18:52.922Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options."}], "source": {"advisory": "GHSA-9qg5-2gwh-xp86", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T19:29:40.963947Z", "id": "CVE-2026-22262", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T19:30:42.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T19:29:40.963947Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T19:30:08.868Z"}}], "cna": {"title": "Suricata datasets: stack overflow when saving a set", "source": {"advisory": "GHSA-9qg5-2gwh-xp86", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": "< 7.0.14"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf", "name": "https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1", "name": "https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb", "name": "https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521", "name": "https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658", "name": "https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90", "name": "https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90", "tags": ["x_refsource_MISC"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8110", "name": "https://redmine.openinfosecfoundation.org/issues/8110", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:18:52.922Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22262", "state": "PUBLISHED", "dateUpdated": "2026-01-27T19:30:42.782Z", "dateReserved": "2026-01-07T05:19:12.923Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T18:18:52.922Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D", "versionEndExcluding": "7.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options."}], "id": "CVE-2026-22262", "lastModified": "2026-01-29T21:01:55.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T19:16:14.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8110"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "suricata: Suricata: Denial of service due to stack overflow when saving large datasets", "id": "2433479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433479"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-121", "details": ["A flaw was found in Suricata, a network intrusion detection/prevention system (IDS/IPS). When saving a dataset, the system uses a stack buffer to process the data. If an attacker provides excessively large data within a dataset, it can cause a stack overflow. This vulnerability could lead to a denial of service, making the system unavailable."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid using rules with the `save` or `state` options for datasets in Suricata configurations. Disabling these specific dataset options prevents the vulnerable code path from being exercised, thereby eliminating the risk of a stack overflow. A restart of the Suricata service may be required for the changes to take effect."}, "name": "CVE-2026-22262", "public_date": "2026-01-27T18:18:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22262\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22262\nhttps://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf\nhttps://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1\nhttps://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb\nhttps://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521\nhttps://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658\nhttps://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90\nhttps://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86\nhttps://redmine.openinfosecfoundation.org/issues/8110"], "statement": "The vulnerability in Suricata, rated as MODERATE, involves a stack overflow when saving a dataset if the data exceeds the allocated buffer size. This flaw affects Suricata versions prior to 8.0.3 and 7.0.14. Red Hat customers running affected versions of Suricata are impacted if their intrusion detection rules utilize the `save` or `state` options with datasets, which can lead to a denial of service.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:46:20.373503+00:00", "value": {"mitigation_remediation": ["Upgrade Suricata to version 8.0.3 or later, or to 7.0.14 or later if staying on the 7.x branch, to apply the official fix.", "Avoid using the dataset options that trigger a save or state action until the patch is applied; this is the documented workaround.", "If upgrading immediately is not feasible, reduce dataset size or remove large entries so that the data remains below the stack buffer capacity, thereby preventing overflow."], "summary": {"action": "Apply patch", "impact": "Stack\u2011based buffer overflow in Suricata dataset saving"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OISF Suricata versions 7.0.0 through 7.0.13 and 8.0.0 through 8.0.2. Versions 7.0.14 and 8.0.3 include the fix; other releases are not known to be affected.", "description_and_impact": "When Suricata processes a dataset, it uses a stack buffer to assemble the data. In versions older than 8.0.3 and 7.0.14, a dataset that exceeds the buffer capacity triggers a stack overflow. The overflow can corrupt memory used by Suricata, leading to unpredictable program behavior or crashes. The flaw is classified as CWE\u2011121 (Stack Based Buffer Overflow) and CWE\u2011787 (Out of Bounds Write).", "risk_and_exploitability": "The CVSS score of 5.9 reflects moderate severity, while the EPSS score of less than 1\u202f% indicates a very low likelihood of exploitation at present. Suricata is not listed in CISA KEV, so no widespread exploitation is documented. The most likely attack vector requires local access to configure or supply rule datasets, but could also be remote if the dataset is influenced by external inputs."}}}}, "created": "2026-01-28T12:22:09.775622+00:00", "updated": "2026-04-18T19:00:08.020419+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}