CVE-2026-22258
Published: 27 January 2026
Summary
CVE-2026-22258 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.
Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted DCERPC traffic exploits the unbounded resource consumption flaw to crash Suricata, directly enabling impairment/disablement of a security monitoring tool.
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC…
more
over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.
Deeper analysisAI
CVE-2026-22258 is a vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. In versions prior to 8.0.3 and 7.0.14, crafted DCERPC traffic triggers unbounded buffer expansion without limits, leading to memory exhaustion and process termination. The issue was reported specifically for DCERPC over UDP but is believed to affect DCERPC over TCP and SMB as well. It maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability enables remote network-based exploitation with low complexity, requiring no privileges or user interaction, resulting in high-impact availability disruption (CVSS v3.1 base score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Any unauthenticated attacker who can send crafted DCERPC packets to network interfaces monitored by Suricata can exhaust memory and crash the process, causing denial of service. DCERPC/TCP is not vulnerable in the default configuration due to a 1MiB stream depth limit.
Patches addressing this issue are available in Suricata 8.0.3 and 7.0.14, as detailed in the project's GitHub commits and security advisory (GHSA-289c-h599-3xcx). Workarounds include disabling the DCERPC/UDP parser; for DCERPC/TCP and SMB, setting `stream.reassembly.depth` limits buffered data, though SMB defaults to unlimited depth, which may reduce protocol visibility if constrained.
Details
- CWE(s)