What is CVE-2026-22258?

CVE-2026-22258 is a high-severity vulnerability in Oisf Suricata, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-01-27.

How severe is CVE-2026-22258?

High severity. CVSS v3 base score is 7.5 out of 10.

Resource exhaustion in Oisf Suricata

CVE-2026-22258

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCE…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (25.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Oisf Suricata — versions < 7.0.14, >= 8.0.0, < 8.0.3

Weakness classification (CWE)

References

https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx (x_refsource_CONFIRM)
https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74 (x_refsource_MISC)
https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830 (x_refsource_MISC)
https://redmine.openinfosecfoundation.org/issues/8182 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-22258?: CVE-2026-22258 is a high-severity vulnerability in Oisf Suricata, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-01-27.
How severe is CVE-2026-22258?: High severity. CVSS v3 base score is 7.5 out of 10.