Cyber Resilience

CVE-2026-22262

Medium

Published: 27 January 2026

Published
27 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0047 36.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22262 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Oisf Suricata. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22262 is a stack buffer overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw arises during dataset saving operations, where a fixed-size stack buffer prepares the data; oversized dataset content prior to versions 8.0.3 and 7.0.14 triggers the overflow. Published on 2026-01-27, it is rated 5.9 on the CVSS v3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).

An unauthenticated remote attacker with network access can exploit the vulnerability by crafting traffic that activates Suricata rules using oversized datasets, though this requires high attack complexity with no user interaction needed. Exploitation leads to a denial-of-service condition via stack overflow-induced application crash, disrupting IDS/IPS/NSM functionality without impacting confidentiality or integrity.

Patches resolving the issue are included in Suricata versions 8.0.3 and 7.0.14, with fixes detailed in GitHub commits from the OISF/suricata repository, such as 0eff24213763c2aa2bb0957901d5dc1e18414dbf, 27a2180bceaa3477419c78c54fce364398d011f1, 32609e6896f9079c175665a94005417cec7637eb, 32a1b9ae6aa80a60c073897e38a2ac6ea0f64521, and d6bc718e303ecbec5999066b8bc88eeeca743658. As a workaround, refrain from using rules with dataset `save` or `state` options.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result…

more

in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Buffer overflow enables remote DoS crash of Suricata IDS/IPS (impairing defenses via tool disablement or application exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22264Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-31933Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2024-55627Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata
CVE-2026-31937Same product: Oisf Suricata
CVE-2026-22259Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.14 · 8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches in Suricata 7.0.14/8.0.3 that eliminate the stack-buffer overflow during dataset save operations.

prevent

Enforces disabling the dataset 'save' and 'state' rule options (the documented workaround) so the vulnerable code path is never exercised.

prevent

Requires memory-protection mechanisms (e.g., stack canaries, ASLR, NX) that can convert the stack overflow into a non-exploitable crash rather than arbitrary code execution.

References