CVE-2026-22258
Published: 27 January 2026
Summary
CVE-2026-22258 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22258 is a vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. In versions prior to 8.0.3 and 7.0.14, crafted DCERPC traffic triggers unbounded buffer expansion without limits, leading to memory exhaustion and process termination. The issue was reported specifically for DCERPC over UDP but is believed to affect DCERPC over TCP and SMB as well. It maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability enables remote network-based exploitation with low complexity, requiring no privileges or user interaction, resulting in high-impact availability disruption (CVSS v3.1 base score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Any unauthenticated attacker who can send crafted DCERPC packets to network interfaces monitored by Suricata can exhaust memory and crash the process, causing denial of service. DCERPC/TCP is not vulnerable in the default configuration due to a 1MiB stream depth limit.
Patches addressing this issue are available in Suricata 8.0.3 and 7.0.14, as detailed in the project's GitHub commits and security advisory (GHSA-289c-h599-3xcx). Workarounds include disabling the DCERPC/UDP parser; for DCERPC/TCP and SMB, setting `stream.reassembly.depth` limits buffered data, though SMB defaults to unlimited depth, which may reduce protocol visibility if constrained.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4784
Vulnerability details
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC…
more
over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted DCERPC traffic exploits the unbounded resource consumption flaw to crash Suricata, directly enabling impairment/disablement of a security monitoring tool.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Applying vendor patches in Suricata 8.0.3 and 7.0.14 directly remediates the unbounded buffer expansion vulnerability causing memory exhaustion.
Establishes limits on memory resources to protect Suricata from exhaustion due to crafted DCERPC traffic buffer expansion.
Enforces secure configuration settings such as stream.reassembly.depth limits and DCERPC/UDP parser disablement to mitigate unbounded data buffering.