Cyber Resilience

CVE-2026-31933

HighDDoS

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0035 27.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31933 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31933 is a denial-of-service vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. Affecting versions prior to 7.0.15 and 8.0.4, the flaw (classified under CWE-407: Inefficient Algorithmic Complexity) allows specially crafted network traffic to trigger significant performance degradation, particularly in IDS mode. The issue stems from inefficient processing that leads to slowdowns, as scored at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), emphasizing high availability impact without compromising confidentiality or integrity.

Attackers require only network access to the monitored traffic, with no privileges, user interaction, or special complexity needed. By sending tailored packets to interfaces Suricata is inspecting, remote unauthenticated actors can cause the engine to consume excessive resources, resulting in slowed detection and monitoring capabilities. This effectively enables a denial-of-service condition targeted at the security tool itself, potentially blinding defenders during an attack.

Official advisories recommend upgrading to Suricata 7.0.15 or 8.0.4, where the issue has been patched. Details are available in the GitHub Security Advisory (GHSA-hvp5-gpr6-j4gp) and OISF Redmine issue 8272, which outline the fix and affected code paths.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been patched in versions 7.0.15 and 8.0.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote resource exhaustion DoS against Suricata IDS/IPS via algorithmic complexity in traffic processing, directly mapping to impairing defensive tools (T1562.001) and application exploitation for endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31932Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2026-31937Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-22264Same product: Oisf Suricata
CVE-2026-22262Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata
CVE-2024-55628Same product: Oisf Suricata
CVE-2026-22259Same product: Oisf Suricata
CVE-2026-22258Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.15 · 8.0.0 — 8.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the inefficient algorithmic complexity flaw through patching Suricata to versions 7.0.15 or 8.0.4.

prevent

Implements denial-of-service protections at network entry points to block or limit specially crafted traffic targeting Suricata's IDS mode.

prevent

Ensures resource availability protections to mitigate excessive consumption caused by the CVE's inefficient processing of crafted packets.

References