CVE-2026-22264
Published: 27 January 2026
Summary
CVE-2026-22264 is a high-severity Use After Free (CWE-416) vulnerability in Oisf Suricata. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote packet-based exploitation of Suricata to trigger heap UAF, directly facilitating DoS via system/application crash (T1499.004) and impairing the IDS/IPS tool itself (T1562.001) for potential stealth or defense evasion.
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14…
more
contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.
Deeper analysisAI
CVE-2026-22264 is an unsigned integer overflow vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions prior to 8.0.3 and 7.0.14, where processing a single packet that triggers excessive alerts—specifically more than 65536 matching signatures—causes the overflow, leading to a heap use-after-free condition. This issue is classified under CWE-416 (Use After Free) with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to impacts on integrity and availability.
Attackers with network access can exploit this vulnerability remotely without privileges or user interaction, though it requires high attack complexity. Exploitation involves crafting a malicious packet designed to match an excessive number of Suricata rules, triggering the integer overflow and subsequent heap use-after-free. Successful exploitation could result in denial-of-service via crashes or memory corruption, potentially compromising the integrity of alert generation or system stability, but without direct confidentiality impacts.
Patches addressing this vulnerability are available in Suricata versions 8.0.3 and 7.0.14, as detailed in GitHub commits such as 549d7bf60616de8e54686a188196453b5b22f715, 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2, and ac1eb394181530430fb7262969f423a1bf8f209b, along with the OISF security advisory GHSA-mqr8-m3m4-2hw5 and Redmine issue 8190. As a workaround, operators should avoid untrusted rulesets and configure deployments to limit signatures matching on the same packet to fewer than 65536.
Details
- CWE(s)