CVE-2026-22259
Published: 27 January 2026
Summary
CVE-2026-22259 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.
Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.
Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated DoS via crafted DNP3 traffic directly impairs Suricata's detection capabilities by exhausting resources and terminating the process.
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and…
more
running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default).
Deeper analysisAI
CVE-2026-22259 is a denial-of-service vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The issue affects Suricata versions prior to 8.0.3 and 7.0.14, where specially crafted DNP3 traffic triggers excessive memory consumption during parsing. This stems from unbounded resource allocation flaws, mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over the network without authentication by sending malformed DNP3 packets to interfaces monitored by Suricata. No user interaction is required, enabling unauthenticated attackers to cause the Suricata process to slow down significantly due to memory exhaustion, potentially resulting in termination by the system's Out-Of-Memory (OOM) killer. This disrupts IDS/IPS/NSM functionality, leading to unmonitored network traffic.
Patches are available in Suricata versions 8.0.3 and 7.0.14, as detailed in the GitHub commits (50cac2e2465ca211eabfa156623e585e9037bb7e and 63225d5f8ef64cc65164c0bb1800730842d54942) and the OISF security advisory (GHSA-878h-2x6v-84q9). As a workaround, administrators can disable the DNP3 parser in the Suricata YAML configuration file, noting that it is disabled by default. Additional details are in Open Information Security Foundation Redmine issue 8181.
Details
- CWE(s)