CVE-2026-31932
Published: 02 April 2026
Summary
CVE-2026-31932 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely identification, reporting, and correction of software flaws, directly requiring patching of the KRB5 buffering inefficiency in vulnerable Suricata versions to prevent DoS exploitation.
SC-5 implements denial-of-service detection and prevention mechanisms that limit harm from crafted traffic causing performance degradation in Suricata.
SC-6 ensures resource availability protections, including allocation procedures to mitigate resource exhaustion from the inefficient KRB5 buffering in Suricata.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of Suricata (IDS/IPS) via crafted KRB5 traffic to trigger performance DoS (availability impact only), directly supporting T1499.004 (application/system exploitation for endpoint DoS) and T1562.001 (disable/modify security tools by impairing the monitoring engine).
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
Deeper analysisAI
CVE-2026-31932 affects Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The vulnerability stems from an inefficiency in KRB5 buffering that causes performance degradation. It impacts versions of Suricata prior to 7.0.15 and 8.0.4, and has been assigned CWE-407 (incomplete cleanup) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By sending crafted traffic that triggers the inefficient KRB5 buffering, attackers can induce significant performance degradation, leading to high availability impact such as denial-of-service on the affected Suricata instance. There is no impact on confidentiality or integrity.
Advisories recommend upgrading to Suricata versions 7.0.15 or 8.0.4, where the issue has been patched. Detailed information is available in the GitHub Security Advisory at https://github.com/OISF/suricata/security/advisories/GHSA-rp9m-jcpw-hggr and the Open Information Security Foundation Redmine issue at https://redmine.openinfosecfoundation.org/issues/8305.
Details
- CWE(s)