CVE-2026-22264
Published: 27 January 2026
Summary
CVE-2026-22264 is a high-severity Use After Free (CWE-416) vulnerability in Oisf Suricata. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22264 is an unsigned integer overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions prior to 8.0.3 and 7.0.14, where processing a single packet that triggers excessive alerts—specifically more than 65536 matching signatures—causes the overflow, leading to a heap use-after-free condition. This issue is classified under CWE-416 (Use After Free) with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to impacts on integrity and availability.
Attackers with network access can exploit this vulnerability remotely without privileges or user interaction, though it requires high attack complexity. Exploitation involves crafting a malicious packet designed to match an excessive number of Suricata rules, triggering the integer overflow and subsequent heap use-after-free. Successful exploitation could result in denial-of-service via crashes or memory corruption, potentially compromising the integrity of alert generation or system stability, but without direct confidentiality impacts.
Patches addressing this vulnerability are available in Suricata versions 8.0.3 and 7.0.14, as detailed in GitHub commits such as 549d7bf60616de8e54686a188196453b5b22f715, 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2, and ac1eb394181530430fb7262969f423a1bf8f209b, along with the OISF security advisory GHSA-mqr8-m3m4-2hw5 and Redmine issue 8190. As a workaround, operators should avoid untrusted rulesets and configure deployments to limit signatures matching on the same packet to fewer than 65536.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4782
Vulnerability details
Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14…
more
contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote packet-based exploitation of Suricata to trigger heap UAF, directly facilitating DoS via system/application crash (T1499.004) and impairing the IDS/IPS tool itself (T1562.001) for potential stealth or defense evasion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the available patches in Suricata 8.0.3/7.0.14 that eliminate the unsigned integer overflow and resulting use-after-free.
Enforces the documented workaround of restricting rulesets so that fewer than 65536 signatures can match a single packet, eliminating the overflow trigger.
Requires hardening Suricata configuration settings to disable or constrain untrusted rulesets that could produce excessive per-packet alerts.