CVE-2026-31937
Published: 02 April 2026
Summary
CVE-2026-31937 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1562.001); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of Suricata to version 7.0.15 or later, directly eliminating the DCERPC buffering inefficiency exploited for DoS.
Denial-of-service protection employs mechanisms like rate limiting to block or limit crafted DCERPC traffic causing performance degradation in Suricata.
Resource availability controls ensure critical resources are protected from exhaustion due to the vulnerable buffering mechanism in Suricata.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote resource exhaustion DoS against Suricata (security monitoring tool) via crafted DCERPC traffic, directly facilitating defense evasion by disabling the IDS/IPS sensor.
NVD Description
Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.
Deeper analysisAI
CVE-2026-31937 affects Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The vulnerability stems from an inefficiency in DCERPC buffering prior to version 7.0.15, which can cause significant performance degradation. Assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-407, it represents a denial-of-service condition without compromising confidentiality or integrity.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, authentication, or user interaction. By sending crafted DCERPC traffic to a vulnerable Suricata instance, an unauthenticated remote attacker can trigger excessive resource consumption in the buffering mechanism, leading to high availability impact such as CPU exhaustion or slowed packet processing. This disrupts the engine's ability to monitor or inspect network traffic effectively.
The official GitHub Security Advisory (GHSA-86vg-w8vm-m3gg) and Open Information Security Foundation Redmine issue (8304) confirm the issue has been addressed in Suricata version 7.0.15. Security practitioners should upgrade to this patched version or later to mitigate the vulnerability, as no workarounds are specified in the provided references.
Details
- CWE(s)