Cyber Resilience

CVE-2026-31937

HighDDoS

Published: 02 April 2026

Published
02 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0035 27.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31937 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Oisf Suricata. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-31937 affects Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine. The vulnerability stems from an inefficiency in DCERPC buffering prior to version 7.0.15, which can cause significant performance degradation. Assigned a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-407, it represents a denial-of-service condition without compromising confidentiality or integrity.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, authentication, or user interaction. By sending crafted DCERPC traffic to a vulnerable Suricata instance, an unauthenticated remote attacker can trigger excessive resource consumption in the buffering mechanism, leading to high availability impact such as CPU exhaustion or slowed packet processing. This disrupts the engine's ability to monitor or inspect network traffic effectively.

The official GitHub Security Advisory (GHSA-86vg-w8vm-m3gg) and Open Information Security Foundation Redmine issue (8304) confirm the issue has been addressed in Suricata version 7.0.15. Security practitioners should upgrade to this patched version or later to mitigate the vulnerability, as no workarounds are specified in the provided references.

EU & UK References

Vulnerability details

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability enables remote resource exhaustion DoS against Suricata (security monitoring tool) via crafted DCERPC traffic, directly facilitating defense evasion by disabling the IDS/IPS sensor.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31933Same product: Oisf Suricata
CVE-2026-31932Same product: Oisf Suricata
CVE-2026-31934Same product: Oisf Suricata
CVE-2026-22259Same product: Oisf Suricata
CVE-2026-22258Same product: Oisf Suricata
CVE-2024-55605Same product: Oisf Suricata
CVE-2026-31935Same product: Oisf Suricata
CVE-2026-22264Same product: Oisf Suricata
CVE-2026-22262Same product: Oisf Suricata
CVE-2026-31931Same product: Oisf Suricata

Affected Assets

oisf
suricata
≤ 7.0.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of Suricata to version 7.0.15 or later, directly eliminating the DCERPC buffering inefficiency exploited for DoS.

prevent

Denial-of-service protection employs mechanisms like rate limiting to block or limit crafted DCERPC traffic causing performance degradation in Suricata.

prevent

Resource availability controls ensure critical resources are protected from exhaustion due to the vulnerable buffering mechanism in Suricata.

References