CVE-2026-22259
Published: 27 January 2026
Summary
CVE-2026-22259 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-22259 is a denial-of-service vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The issue affects Suricata versions prior to 8.0.3 and 7.0.14, where specially crafted DNP3 traffic triggers excessive memory consumption during parsing. This stems from unbounded resource allocation flaws, mapped to CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over the network without authentication by sending malformed DNP3 packets to interfaces monitored by Suricata. No user interaction is required, enabling unauthenticated attackers to cause the Suricata process to slow down significantly due to memory exhaustion, potentially resulting in termination by the system's Out-Of-Memory (OOM) killer. This disrupts IDS/IPS/NSM functionality, leading to unmonitored network traffic.
Patches are available in Suricata versions 8.0.3 and 7.0.14, as detailed in the GitHub commits (50cac2e2465ca211eabfa156623e585e9037bb7e and 63225d5f8ef64cc65164c0bb1800730842d54942) and the OISF security advisory (GHSA-878h-2x6v-84q9). As a workaround, administrators can disable the DNP3 parser in the Suricata YAML configuration file, noting that it is disabled by default. Additional details are in Open Information Security Foundation Redmine issue 8181.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4789
Vulnerability details
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and…
more
running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated DoS via crafted DNP3 traffic directly impairs Suricata's detection capabilities by exhausting resources and terminating the process.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation including applying patches to Suricata versions 8.0.3 or 7.0.14 that fix the unbounded memory allocation in the DNP3 parser.
Enforces least functionality by disabling the unnecessary DNP3 parser in Suricata's configuration (disabled by default), eliminating the vulnerable parsing code from execution.
Protects resource availability by limiting memory allocation and throttling consumption, directly countering the CWE-400/770 uncontrolled resource exhaustion from crafted DNP3 traffic.