Cyber Resilience

CVE-2026-22264

High

Published: 27 January 2026

Published
27 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0034 26.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22264 is a high-severity Use After Free (CWE-416) vulnerability in Oisf Suricata. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22264 is an unsigned integer overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions prior to 8.0.3 and 7.0.14, where processing a single packet that triggers excessive alerts—specifically more than 65536 matching signatures—causes the overflow, leading to a heap use-after-free condition. This issue is classified under CWE-416 (Use After Free) with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to impacts on integrity and availability.

Attackers with network access can exploit this vulnerability remotely without privileges or user interaction, though it requires high attack complexity. Exploitation involves crafting a malicious packet designed to match an excessive number of Suricata rules, triggering the integer overflow and subsequent heap use-after-free. Successful exploitation could result in denial-of-service via crashes or memory corruption, potentially compromising the integrity of alert generation or system stability, but without direct confidentiality impacts.

Patches addressing this vulnerability are available in Suricata versions 8.0.3 and 7.0.14, as detailed in GitHub commits such as 549d7bf60616de8e54686a188196453b5b22f715, 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2, and ac1eb394181530430fb7262969f423a1bf8f209b, along with the OISF security advisory GHSA-mqr8-m3m4-2hw5 and Redmine issue 8190. As a workaround, operators should avoid untrusted rulesets and configure deployments to limit signatures matching on the same packet to fewer than 65536.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14…

more

contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability enables remote packet-based exploitation of Suricata to trigger heap UAF, directly facilitating DoS via system/application crash (T1499.004) and impairing the IDS/IPS tool itself (T1562.001) for potential stealth or defense evasion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31933Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-22262Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata
CVE-2026-22258Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata
CVE-2026-22259Same product: Oisf Suricata
CVE-2026-31937Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.14 · 8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the available patches in Suricata 8.0.3/7.0.14 that eliminate the unsigned integer overflow and resulting use-after-free.

prevent

Enforces the documented workaround of restricting rulesets so that fewer than 65536 signatures can match a single packet, eliminating the overflow trigger.

prevent

Requires hardening Suricata configuration settings to disable or constrain untrusted rulesets that could produce excessive per-packet alerts.

References