CVE-2026-31934
Published: 02 April 2026
Summary
CVE-2026-31934 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-31934 by applying the patch released in Suricata version 8.0.4 to fix the quadratic complexity in URL searching within MIME-encoded SMTP messages.
Denial-of-service protection implements safeguards such as rate limiting on SMTP traffic to prevent remote attackers from triggering CPU exhaustion via crafted MIME-encoded messages in Suricata.
Resource availability protections allocate and control CPU resources to block exhaustion from the algorithmic complexity vulnerability during Suricata's processing of malicious SMTP payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote, unauthenticated algorithmic-complexity DoS against the Suricata IDS/IPS/NSM engine itself. Exploitation directly produces an availability impact on a security tool (T1562.001 Disable or Modify Tools) via application-level resource exhaustion (T1499.004 Application or System Exploitation).
NVD Description
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when searching for URLs in mime encoded messages over SMTP leading to a performance impact. This issue has…
more
been patched in version 8.0.4.
Deeper analysisAI
CVE-2026-31934 affects Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The vulnerability is a quadratic complexity issue in versions 8.0.0 through 8.0.3, occurring when the engine searches for URLs within MIME-encoded messages transmitted over SMTP. This flaw leads to severe performance degradation, classified under CWE-407 (algorithmic complexity) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted MIME-encoded SMTP messages containing malicious URLs. The quadratic behavior in URL detection triggers excessive computational resource consumption, enabling a denial-of-service attack that exhausts CPU cycles and impairs Suricata's ability to process network traffic effectively. No privileges, user interaction, or special conditions beyond network access are required.
The issue has been patched in Suricata version 8.0.4. Administrators should upgrade to this version or later to mitigate the vulnerability. Additional details are available in the GitHub Security Advisory (https://github.com/OISF/suricata/security/advisories/GHSA-hr89-h2pp-f3c8) and the Open Information Security Foundation Redmine issue (https://redmine.openinfosecfoundation.org/issues/8292).
Details
- CWE(s)