Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN089 _____________________________________________________________________ DATE : 28/01/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Suricata versions prior to 7.0.14, 8.0.3. ===================================================================== https://github.com/OISF/suricata/security/advisories/GHSA-878h-2x6v-84q9 https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22 https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5 https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7 https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86 https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf _____________________________________________________________________ dnp3: excessive memory consumption High victorjulien published GHSA-878h-2x6v-84q9 Jan 27, 2026 Package suricata Affected versions < 7.0.14, < 8.0.3 Patched versions 7.0.14, 8.0.3 Description Impact Specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Patches Upgrade to 8.0.3 or 7.0.14. Workarounds Disable the DNP3 parser in the suricata yaml (disabled by default). References https://redmine.openinfosecfoundation.org/issues/8181 Credits Reported by Xiangwei Zhang of Tencent Security YUNDING LAB. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-22259 Weaknesses Weakness CWE-400 Weakness CWE-770 Credits @marckwei marckwei Reporter _____________________________________________________________________ dcerpc: unbounded fragment buffering leads to memory exhaustion High victorjulien published GHSA-289c-h599-3xcx Jan 27, 2026 Package suricata Affected versions < 7.0.14, < 8.0.3 Patched versions 7.0.14, 8.0.3 Description Impact Crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Patches Upgrade to 8.0.3 or 7.0.14. Workarounds For DCERPC/UDP: disable the parser. For DCERPC/TCP the stream.reassembly.depth setting will limit the amount of data that can be buffered. For DCERPC/SMB the stream.reassembly.depth can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB. To disable DCERPC over UDP, but keep it enabled on TCP, you need this sections in suricata.yaml dcerpc: # no field enabled at this level tcp: enabled: yes udp: enabled: no References https://redmine.openinfosecfoundation.org/issues/8182 Credits Reported by Xiangwei Zhang of Tencent Security YUNDING LAB. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-22258 Weaknesses Weakness CWE-400 Weakness CWE-770 _____________________________________________________________________ http1: poorly bounded recursion in decompression High victorjulien published GHSA-3gm8-84cm-5x22 Jan 27, 2026 Package suricata Affected versions >= 8.0.0, < 8.0.3 Patched versions 8.0.3 Description Impact Suricata can crash with a stack overflow. Patches Upgrade to 8.0.3. Workarounds Use default values for request-body-limit and response-body-limit . References https://redmine.openinfosecfoundation.org/issues/8185 Credits oss-fuzz Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-22260 Weaknesses Weakness CWE-674 _____________________________________________________________________ detect/alert: heap-use-after-free on alert queue expansion High victorjulien published GHSA-mqr8-m3m4-2hw5 Jan 27, 2026 Package suricata Affected versions <7.0.14,<8.0.3 Patched versions 7.0.14,8.0.3 Description Impact An unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Patches Upgrade to 8.0.3 or 7.0.14. Workarounds Do not run untrusted rulesets. Run with less than 65536 signatures that can match on the same packet. References https://redmine.openinfosecfoundation.org/issues/8190 Severity High 7.4/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE ID CVE-2026-22264 Weaknesses Weakness CWE-416 _____________________________________________________________________ http1: quadratic complexity in headers parsing over multiple packets Moderate victorjulien published GHSA-rwc5-hxj6-hwx7 Jan 27, 2026 Package suricata Affected versions >= 8.0.0, < 8.0.3 Patched versions 8.0.3 Description Impact Inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Patches Upgrade to 8.0.3 Workarounds No known workarounds References https://redmine.openinfosecfoundation.org/issues/8201 Credits oss-fuzz Severity Moderate 5.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID CVE-2026-22263 Weaknesses Weakness CWE-1050 _____________________________________________________________________ datasets: stack overflow when saving a set Moderate victorjulien published GHSA-9qg5-2gwh-xp86 Jan 27, 2026 Package suricata Affected versions <7.0.14,<8.0.3 Patched versions 7.0.14,8.0.3 Description Impact While saving a dataset a stack buffer is used to prepare the data. If the data in the dataset is too large, this can result in a stack overflow. Patches Upgrade to 8.0.3 or 7.0.14. Workarounds Do not use rules with datasets save nor state options. References https://redmine.openinfosecfoundation.org/issues/8110 Severity Moderate 5.9/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-22262 Weaknesses Weakness CWE-121 _____________________________________________________________________ eve/alert: http1 xff handling can lead to denial of service Low victorjulien published GHSA-5jvg-5j3p-34cf Jan 27, 2026 Package suricata Affected versions <7.0.14, <8.0.3 Patched versions 7.0.14, 8.0.3 Description Impact Various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Patches Upgrade to 8.0.3 or 7.0.14. Workarounds Disable XFF support in the eve configuration. The setting is disabled by default. References https://redmine.openinfosecfoundation.org/issues/8156 Severity Low 3.7/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID CVE-2026-22261 Weaknesses Weakness CWE-1050 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================