Cyber Resilience

CVE-2026-22259

HighDDoS

Published: 27 January 2026

Published
27 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0051 39.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22259 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-22259 is a denial-of-service vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The issue affects Suricata versions prior to 8.0.3 and 7.0.14, where specially crafted DNP3 traffic triggers excessive memory consumption during parsing. This stems from unbounded resource allocation flaws, mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network without authentication by sending malformed DNP3 packets to interfaces monitored by Suricata. No user interaction is required, enabling unauthenticated attackers to cause the Suricata process to slow down significantly due to memory exhaustion, potentially resulting in termination by the system's Out-Of-Memory (OOM) killer. This disrupts IDS/IPS/NSM functionality, leading to unmonitored network traffic.

Patches are available in Suricata versions 8.0.3 and 7.0.14, as detailed in the GitHub commits (50cac2e2465ca211eabfa156623e585e9037bb7e and 63225d5f8ef64cc65164c0bb1800730842d54942) and the OISF security advisory (GHSA-878h-2x6v-84q9). As a workaround, administrators can disable the DNP3 parser in the Suricata YAML configuration file, noting that it is disabled by default. Additional details are in Open Information Security Foundation Redmine issue 8181.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and…

more

running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Remote unauthenticated DoS via crafted DNP3 traffic directly impairs Suricata's detection capabilities by exhausting resources and terminating the process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22258Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-31937Same product: Oisf Suricata
CVE-2026-22262Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata
CVE-2026-31933Same product: Oisf Suricata
CVE-2026-22264Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.14 · 8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation including applying patches to Suricata versions 8.0.3 or 7.0.14 that fix the unbounded memory allocation in the DNP3 parser.

prevent

Enforces least functionality by disabling the unnecessary DNP3 parser in Suricata's configuration (disabled by default), eliminating the vulnerable parsing code from execution.

prevent

Protects resource availability by limiting memory allocation and throttling consumption, directly countering the CWE-400/770 uncontrolled resource exhaustion from crafted DNP3 traffic.

References