SB2026012852 - Multiple vulnerabilities in Suricata

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2026-22259)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources while parsing DNP3 traffic. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Resource exhaustion (CVE-ID: CVE-2026-22261)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within xff handling. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Stack-based buffer overflow (CVE-ID: CVE-2026-22262)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when saving a set. A remote unauthenticated attacker can trigger stack-based buffer overflow and cause a denial of service condition on the target system.

4) Resource exhaustion (CVE-ID: CVE-2026-22263)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to inefficiency in http1 headers parsing. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

5) Use-after-free (CVE-ID: CVE-2026-22264)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within alert queue expansion. A remote attacker can affect integrity and availability on the target application

6) Uncontrolled Recursion (CVE-ID: CVE-2026-22260)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to poorly bounded recursion in decompression. A remote attacker can cause a denial of service condition on the target system.

7) Resource exhaustion (CVE-ID: CVE-2026-22258)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can use specially crafted DCERPC traffic, trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://github.com/OISF/suricata/security/advisories/GHSA-878h-2x6v-84q9
• https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf
• https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86
• https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7
• https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5
• https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22
• https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx