CVE-2026-22262
Published: 27 January 2026
Summary
CVE-2026-22262 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Oisf Suricata. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow enables remote DoS crash of Suricata IDS/IPS (impairing defenses via tool disablement or application exploitation).
NVD Description
Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result…
more
in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options.
Deeper analysisAI
CVE-2026-22262 is a stack buffer overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw arises during dataset saving operations, where a fixed-size stack buffer prepares the data; oversized dataset content prior to versions 8.0.3 and 7.0.14 triggers the overflow. Published on 2026-01-27, it is rated 5.9 on the CVSS v3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).
An unauthenticated remote attacker with network access can exploit the vulnerability by crafting traffic that activates Suricata rules using oversized datasets, though this requires high attack complexity with no user interaction needed. Exploitation leads to a denial-of-service condition via stack overflow-induced application crash, disrupting IDS/IPS/NSM functionality without impacting confidentiality or integrity.
Patches resolving the issue are included in Suricata versions 8.0.3 and 7.0.14, with fixes detailed in GitHub commits from the OISF/suricata repository, such as 0eff24213763c2aa2bb0957901d5dc1e18414dbf, 27a2180bceaa3477419c78c54fce364398d011f1, 32609e6896f9079c175665a94005417cec7637eb, 32a1b9ae6aa80a60c073897e38a2ac6ea0f64521, and d6bc718e303ecbec5999066b8bc88eeeca743658. As a workaround, refrain from using rules with dataset `save` or `state` options.
Details
- CWE(s)