CVE-2026-31931
Published: 02 April 2026
Summary
CVE-2026-31931 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws such as the NULL dereference crash in Suricata versions 8.0.0 through 8.0.3 by applying patches like version 8.0.4.
Mandates restricting Suricata to least functionality by prohibiting or disabling non-essential rules using the vulnerable 'tls.alpn' keyword as a temporary mitigation.
Requires vulnerability scanning and monitoring to detect the presence of CVE-2026-31931 in deployed Suricata instances, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference triggers remote crash of Suricata IDS/IPS via crafted traffic; directly maps to application exploitation causing DoS (T1499.004), disabling security tooling (T1562.001), and enabling stealth by blinding detection (T1211).
NVD Description
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
Deeper analysisAI
CVE-2026-31931 is a NULL dereference vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The issue affects versions 8.0.0 through 8.0.3, where use of the "tls.alpn" rule keyword during rule evaluation triggers a crash. Classified under CWE-476 (NULL Pointer Dereference), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. By crafting network traffic that matches a Suricata rule using the "tls.alpn" keyword—such as TLS traffic with a specific Application-Layer Protocol Negotiation (ALPN) extension—any unauthenticated adversary reachable by the Suricata sensor can trigger the NULL dereference, causing the engine to crash and potentially leading to denial-of-service (DoS) on monitored traffic.
The vulnerability has been addressed in Suricata version 8.0.4, as detailed in the official GitHub security advisory (GHSA-gr22-4784-xvw3) and OISF Redmine issue #8294. Security practitioners should upgrade to 8.0.4 or later and review rulesets for "tls.alpn" usage, temporarily disabling affected rules if immediate patching is not feasible.
Details
- CWE(s)