CVE-2026-31935
Published: 02 April 2026
Summary
CVE-2026-31935 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of Suricata to versions 7.0.15 or 8.0.4, directly eliminating the memory exhaustion vulnerability from HTTP/2 continuation frame flooding.
Denial-of-service protection implements mechanisms like rate limiting to block flooding of crafted HTTP/2 continuation frames targeting Suricata.
Resource availability ensures memory allocations are bounded and monitored to prevent exhaustion from unbounded HTTP/2 frame processing in Suricata.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote application exploitation causing process crash via memory exhaustion (T1499.004) and directly disables Suricata IDS/IPS/NSM tool (T1562.001).
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This…
more
issue has been patched in versions 7.0.15 and 8.0.4.
Deeper analysisAI
CVE-2026-31935 is a denial-of-service vulnerability in Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The flaw affects versions prior to 7.0.15 and 8.0.4, where an attacker can flood the system with crafted HTTP/2 continuation frames, triggering unbounded memory allocation and exhaustion. This typically results in the Suricata process being terminated by the operating system. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Any unauthenticated attacker with network access to a vulnerable Suricata instance can exploit this issue remotely with low complexity and no user interaction required. By sending a high volume of specially crafted HTTP/2 continuation frames, the attacker induces memory exhaustion, causing Suricata to crash and disrupting IDS, IPS, or NSM functionality. This leads to a high-impact availability loss without affecting confidentiality or integrity.
The official GitHub Security Advisory (GHSA-vxrp-5pg7-7v4x) and OISF Redmine issue #8289 confirm that the vulnerability has been addressed in Suricata versions 7.0.15 and 8.0.4. Security practitioners should upgrade to these patched releases immediately, as no workarounds are mentioned in the advisories. Monitoring for unusual HTTP/2 traffic patterns may help detect exploitation attempts in the interim.
Details
- CWE(s)