Cyber Resilience

CVE-2026-22260

HighDDoS

Published: 27 January 2026

Published
27 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22260 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22260 is a stack overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions 8.0.0 through 8.0.2, where improper handling of certain inputs can trigger a stack overflow, causing the Suricata process to crash. It is classified under CWE-674 (Uncontrolled Recursion) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.5.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). An attacker who can send crafted network traffic to a Suricata deployment—such as HTTP requests exceeding configured body limits—can cause a denial-of-service condition by crashing the engine, disrupting IDS/IPS/NSM functionality and potentially leading to high availability impact (A:H) with no direct confidentiality or integrity effects.

Suricata version 8.0.3 includes a patch to address the issue, as detailed in the commit at https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185 and the security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22. As a workaround prior to patching, use the default values for the `request-body-limit` and `response-body-limit` configuration options to prevent oversized inputs from triggering the overflow. Additional details are available at https://redmine.openinfosecfoundation.org/issues/8185.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote stack overflow in public-facing Suricata IDS/IPS allows crafted traffic to crash the engine, directly enabling T1190 exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22262Same product: Oisf Suricata
CVE-2024-55627Same product: Oisf Suricata
CVE-2026-22258Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata
CVE-2026-22259Same product: Oisf Suricata
CVE-2026-31937Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-31933Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata

Affected Assets

oisf
suricata
8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the stack overflow vulnerability by requiring timely remediation through patching Suricata to version 8.0.3 or later.

prevent

Implements memory protection controls specifically designed to prevent crashes from stack overflows and out-of-bounds writes exploited in this CVE.

prevent

Restricts the quantity of input data, such as enforcing default request-body-limit and response-body-limit to block oversized HTTP requests that trigger the overflow.

References