{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31931", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.653Z", "datePublished": "2026-04-02T14:01:03.512Z", "dateUpdated": "2026-04-02T14:18:27.902Z"}, "containers": {"cna": {"title": "Suricata tls: null dereference in tls.alpn rule keyword", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8294", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8294"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": ">= 8.0.0, < 8.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:01:03.512Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the \"tls.alpn\" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4."}], "source": {"advisory": "GHSA-gr22-4784-xvw3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:18:13.377669Z", "id": "CVE-2026-31931", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:18:27.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T14:18:13.377669Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:18:19.353Z"}}], "cna": {"title": "Suricata tls: null dereference in tls.alpn rule keyword", "source": {"advisory": "GHSA-gr22-4784-xvw3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": ">= 8.0.0, < 8.0.4"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8294", "name": "https://redmine.openinfosecfoundation.org/issues/8294", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the \"tls.alpn\" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:01:03.512Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31931", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:18:27.902Z", "dateReserved": "2026-03-10T15:10:10.653Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T14:01:03.512Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "F35C5A48-CA30-43B3-9E53-D3E51C862604", "versionEndExcluding": "8.0.4", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the \"tls.alpn\" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4."}], "id": "CVE-2026-31931", "lastModified": "2026-04-07T18:28:33.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:28.587", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8294"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Suricata: Suricata: Denial of Service via 'tls.alpn' rule keyword", "id": "2454369", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454369"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in Suricata, a network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. An attacker could trigger a null dereference by using the \"tls.alpn\" rule keyword, causing the Suricata engine to crash. This vulnerability leads to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid using the 'tls.alpn' rule keyword in Suricata configurations. If Suricata crashes due to this vulnerability, restarting the service may temporarily restore functionality. Ensure that Suricata configurations do not include the 'tls.alpn' keyword to prevent service disruption."}, "name": "CVE-2026-31931", "public_date": "2026-04-02T14:01:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31931\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31931\nhttps://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3\nhttps://redmine.openinfosecfoundation.org/issues/8294"], "statement": "Important: Suricata is vulnerable to a denial of service when processing network traffic with rules that utilize the `tls.alpn` keyword. An attacker can trigger a null dereference, causing the Suricata engine to crash. This issue affects Suricata versions 8.0.0 through 8.0.3.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "suricata", "source": "cna", "vendor": "OISF"}, "product": "suricata", "vendor": "oisf"}], "analysis": {"en": {"generated_at": "2026-04-07T21:44:09.344491+00:00", "value": {"mitigation_remediation": ["Upgrade to Suricata 8.0.4 or later.", "If upgrade cannot be performed immediately, remove or comment out rules that use the tls.alpn keyword to prevent the crash.", "Verify the running instance is on a patched version by checking the output of suricata -V or consulting the package manager."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (crash)"}, "threat_synthesis": {"affected_systems": "Affected systems are the OISF Suricata network monitoring platform versions 8.0.0 to 8.0.3 inclusive. The vulnerability applies to any deployment that uses the tls.alpn keyword in its rule set. Users of later releases, such as 8.0.4 and beyond, are not impacted.", "description_and_impact": "A null pointer dereference occurs when the tls.alpn rule keyword is used in Suricata versions 8.0.0 through 8.0.3. The bug causes the IDS/IPS engine to crash, resulting in a denial of service that can disable traffic inspection and alerting.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The bug is not listed in the CISA KEV catalog. Likely attack vectors require a Suricata instance processing a TLS handshake that includes the ALPN field set to a value that triggers the crash. The flaw is exploitable by any network entity that can send such traffic to the monitored hosts, though only a misconfigured or malicious source would typically target it."}}}}, "created": "2026-04-02T20:12:25.842261+00:00", "updated": "2026-04-08T19:56:25.937250+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}