Cyber Resilience

CVE-2026-22258

HighDDoS

Published: 27 January 2026

Published
27 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0048 37.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22258 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22258 is a vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. In versions prior to 8.0.3 and 7.0.14, crafted DCERPC traffic triggers unbounded buffer expansion without limits, leading to memory exhaustion and process termination. The issue was reported specifically for DCERPC over UDP but is believed to affect DCERPC over TCP and SMB as well. It maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).

The vulnerability enables remote network-based exploitation with low complexity, requiring no privileges or user interaction, resulting in high-impact availability disruption (CVSS v3.1 base score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Any unauthenticated attacker who can send crafted DCERPC packets to network interfaces monitored by Suricata can exhaust memory and crash the process, causing denial of service. DCERPC/TCP is not vulnerable in the default configuration due to a 1MiB stream depth limit.

Patches addressing this issue are available in Suricata 8.0.3 and 7.0.14, as detailed in the project's GitHub commits and security advisory (GHSA-289c-h599-3xcx). Workarounds include disabling the DCERPC/UDP parser; for DCERPC/TCP and SMB, setting `stream.reassembly.depth` limits buffered data, though SMB defaults to unlimited depth, which may reduce protocol visibility if constrained.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC…

more

over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Crafted DCERPC traffic exploits the unbounded resource consumption flaw to crash Suricata, directly enabling impairment/disablement of a security monitoring tool.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22259Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-31937Same product: Oisf Suricata
CVE-2026-22262Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata
CVE-2026-31933Same product: Oisf Suricata
CVE-2026-22264Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.14 · 8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying vendor patches in Suricata 8.0.3 and 7.0.14 directly remediates the unbounded buffer expansion vulnerability causing memory exhaustion.

prevent

Establishes limits on memory resources to protect Suricata from exhaustion due to crafted DCERPC traffic buffer expansion.

prevent

Enforces secure configuration settings such as stream.reassembly.depth limits and DCERPC/UDP parser disablement to mitigate unbounded data buffering.

References