CVE-2026-31933
Published: 02 April 2026
Summary
CVE-2026-31933 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the inefficient algorithmic complexity flaw through patching Suricata to versions 7.0.15 or 8.0.4.
Implements denial-of-service protections at network entry points to block or limit specially crafted traffic targeting Suricata's IDS mode.
Ensures resource availability protections to mitigate excessive consumption caused by the CVE's inefficient processing of crafted packets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote resource exhaustion DoS against Suricata IDS/IPS via algorithmic complexity in traffic processing, directly mapping to impairing defensive tools (T1562.001) and application exploitation for endpoint DoS (T1499.004).
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been patched in versions 7.0.15 and 8.0.4.
Deeper analysisAI
CVE-2026-31933 is a denial-of-service vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. Affecting versions prior to 7.0.15 and 8.0.4, the flaw (classified under CWE-407: Inefficient Algorithmic Complexity) allows specially crafted network traffic to trigger significant performance degradation, particularly in IDS mode. The issue stems from inefficient processing that leads to slowdowns, as scored at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), emphasizing high availability impact without compromising confidentiality or integrity.
Attackers require only network access to the monitored traffic, with no privileges, user interaction, or special complexity needed. By sending tailored packets to interfaces Suricata is inspecting, remote unauthenticated actors can cause the engine to consume excessive resources, resulting in slowed detection and monitoring capabilities. This effectively enables a denial-of-service condition targeted at the security tool itself, potentially blinding defenders during an attack.
Official advisories recommend upgrading to Suricata 7.0.15 or 8.0.4, where the issue has been patched. Details are available in the GitHub Security Advisory (GHSA-hvp5-gpr6-j4gp) and OISF Redmine issue 8272, which outline the fix and affected code paths.
Details
- CWE(s)