{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22264", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.923Z", "datePublished": "2026-01-27T18:33:50.354Z", "dateUpdated": "2026-01-28T14:02:38.233Z"}, "containers": {"cna": {"title": "Suricata detect/alert: heap-use-after-free on alert queue expansion", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5"}, {"name": "https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715"}, {"name": "https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2"}, {"name": "https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8190", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8190"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": "< 7.0.14", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:33:50.354Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet."}], "source": {"advisory": "GHSA-mqr8-m3m4-2hw5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:02:26.152409Z", "id": "CVE-2026-22264", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:02:38.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22264", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:02:26.152409Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:02:34.288Z"}}], "cna": {"title": "Suricata detect/alert: heap-use-after-free on alert queue expansion", "source": {"advisory": "GHSA-mqr8-m3m4-2hw5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": "< 7.0.14"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715", "name": "https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2", "name": "https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b", "name": "https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b", "tags": ["x_refsource_MISC"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8190", "name": "https://redmine.openinfosecfoundation.org/issues/8190", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:33:50.354Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22264", "state": "PUBLISHED", "dateUpdated": "2026-01-28T14:02:38.233Z", "dateReserved": "2026-01-07T05:19:12.923Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T18:33:50.354Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D", "versionEndExcluding": "7.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet."}], "id": "CVE-2026-22264", "lastModified": "2026-01-29T20:58:58.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T19:16:14.640", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8190"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:59:49.018321+00:00", "value": {"mitigation_remediation": ["Upgrade Suricata to version 8.0.3, 7.0.14, or later where the heap use\u2011after\u2011free issue is resolved.", "If an upgrade is not immediately possible, limit the number of loaded signatures to under 65536 and avoid using untrusted rule sets that may generate excessive alerts per packet.", "Reduce the rule set complexity or disable optional high\u2011volume rules that can trigger many alerts from a single packet.", "Monitor alert rates for abnormal spikes and enforce limits on alerts per packet to detect potential exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Heap Use-After-Free in Suricata alert handling"}, "threat_synthesis": {"affected_systems": "The issue affects the OISF Suricata product, specifically all releases prior to version 8.0.3 and 7.0.14. The security advisory explicitly lists these vulnerable releases, and later patches address the overflow and heap misuse.", "description_and_impact": "Suricata, a network intrusion detection and prevention engine, is vulnerable to a heap-use-after-free condition caused by an unsigned integer overflow during alert queue expansion. The flaw arises when a single packet triggers an excessive number of alerts, potentially leading to memory corruption, application crashes, and, in worse\u2010case scenarios, arbitrary code execution. The vulnerability is rooted in CWE\u2011416, a classic use\u2011after\u2011free weakness.", "risk_and_exploitability": "Suricata assigns a CVSS score of 7.4, indicating a high severity level, yet the EPSS score is reported as less than 1 percent, suggesting a very low probability of public exploitation at the time of assessment. The vulnerability is not present in CISA\u2019s KEV catalog. The likely attack vector involves the delivery of crafted network traffic that triggers an overwhelming number of alerts within a single packet, especially when running untrusted or overly permissive rule sets. A workaround is to limit the number of active signatures that can match a single packet to fewer than 65536, thereby preventing the overflow scenario."}}}}, "created": "2026-01-28T12:22:25.975837+00:00", "updated": "2026-04-18T02:00:10.475824+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}