CVE-2026-22260
Published: 27 January 2026
Summary
CVE-2026-22260 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
Prevents uncontrolled recursion that exhausts stack or CPU resources.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack overflow in public-facing Suricata IDS/IPS allows crafted traffic to crash the engine, directly enabling T1190 exploitation for DoS.
NVD Description
Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.
Deeper analysisAI
CVE-2026-22260 is a stack overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions 8.0.0 through 8.0.2, where improper handling of certain inputs can trigger a stack overflow, causing the Suricata process to crash. It is classified under CWE-674 (Uncontrolled Recursion) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.5.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). An attacker who can send crafted network traffic to a Suricata deployment—such as HTTP requests exceeding configured body limits—can cause a denial-of-service condition by crashing the engine, disrupting IDS/IPS/NSM functionality and potentially leading to high availability impact (A:H) with no direct confidentiality or integrity effects.
Suricata version 8.0.3 includes a patch to address the issue, as detailed in the commit at https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185 and the security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22. As a workaround prior to patching, use the default values for the `request-body-limit` and `response-body-limit` configuration options to prevent oversized inputs from triggering the overflow. Additional details are available at https://redmine.openinfosecfoundation.org/issues/8185.
Details
- CWE(s)