CVE-2026-22260
Published: 27 January 2026
Summary
CVE-2026-22260 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22260 is a stack overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions 8.0.0 through 8.0.2, where improper handling of certain inputs can trigger a stack overflow, causing the Suricata process to crash. It is classified under CWE-674 (Uncontrolled Recursion) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.5.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). An attacker who can send crafted network traffic to a Suricata deployment—such as HTTP requests exceeding configured body limits—can cause a denial-of-service condition by crashing the engine, disrupting IDS/IPS/NSM functionality and potentially leading to high availability impact (A:H) with no direct confidentiality or integrity effects.
Suricata version 8.0.3 includes a patch to address the issue, as detailed in the commit at https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185 and the security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22. As a workaround prior to patching, use the default values for the `request-body-limit` and `response-body-limit` configuration options to prevent oversized inputs from triggering the overflow. Additional details are available at https://redmine.openinfosecfoundation.org/issues/8185.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4793
Vulnerability details
Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack overflow in public-facing Suricata IDS/IPS allows crafted traffic to crash the engine, directly enabling T1190 exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the stack overflow vulnerability by requiring timely remediation through patching Suricata to version 8.0.3 or later.
Implements memory protection controls specifically designed to prevent crashes from stack overflows and out-of-bounds writes exploited in this CVE.
Restricts the quantity of input data, such as enforcing default request-body-limit and response-body-limit to block oversized HTTP requests that trigger the overflow.