CVE-2026-22262
Published: 27 January 2026
Summary
CVE-2026-22262 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Oisf Suricata. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22262 is a stack buffer overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw arises during dataset saving operations, where a fixed-size stack buffer prepares the data; oversized dataset content prior to versions 8.0.3 and 7.0.14 triggers the overflow. Published on 2026-01-27, it is rated 5.9 on the CVSS v3.1 scale (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).
An unauthenticated remote attacker with network access can exploit the vulnerability by crafting traffic that activates Suricata rules using oversized datasets, though this requires high attack complexity with no user interaction needed. Exploitation leads to a denial-of-service condition via stack overflow-induced application crash, disrupting IDS/IPS/NSM functionality without impacting confidentiality or integrity.
Patches resolving the issue are included in Suricata versions 8.0.3 and 7.0.14, with fixes detailed in GitHub commits from the OISF/suricata repository, such as 0eff24213763c2aa2bb0957901d5dc1e18414dbf, 27a2180bceaa3477419c78c54fce364398d011f1, 32609e6896f9079c175665a94005417cec7637eb, 32a1b9ae6aa80a60c073897e38a2ac6ea0f64521, and d6bc718e303ecbec5999066b8bc88eeeca743658. As a workaround, refrain from using rules with dataset `save` or `state` options.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4772
Vulnerability details
Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result…
more
in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow enables remote DoS crash of Suricata IDS/IPS (impairing defenses via tool disablement or application exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches in Suricata 7.0.14/8.0.3 that eliminate the stack-buffer overflow during dataset save operations.
Enforces disabling the dataset 'save' and 'state' rule options (the documented workaround) so the vulnerable code path is never exercised.
Requires memory-protection mechanisms (e.g., stack canaries, ASLR, NX) that can convert the stack overflow into a non-exploitable crash rather than arbitrary code execution.