CVE-2026-22258 in Suricata
Summary
by MITRE • 01/27/2026
Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/28/2026
The vulnerability identified as CVE-2026-22258 represents a critical buffer overflow condition within the Suricata network security engine that can lead to denial of service through memory exhaustion. This issue affects Suricata versions prior to 8.0.3 and 7.0.14, where specifically crafted DCERPC traffic can trigger unbounded buffer expansion without proper memory limits. The flaw manifests when Suricata processes DCERPC protocol data, particularly over UDP transport, though the vulnerability is believed to extend to TCP and SMB implementations as well. The root cause lies in the insufficient bounds checking during buffer allocation for DCERPC protocol parsing, creating a scenario where maliciously crafted packets can cause the system to consume excessive memory resources until the process is terminated by the operating system.
The technical implementation of this vulnerability stems from the protocol parser's handling of DCERPC traffic where buffer expansion occurs without adequate size constraints. When processing DCERPC over UDP, the parser does not enforce limits on buffer growth, allowing attackers to craft packets that trigger continuous buffer expansion until system resources are exhausted. The default stream depth configuration for DCERPC/TCP provides some protection as it limits the stream depth to 1MiB, but this protection is not present in the SMB implementation where the default setting is unlimited. This architectural inconsistency creates multiple attack vectors within the same application, making the vulnerability more pervasive than initially reported. The vulnerability maps to CWE-770, which addresses allocation of resources without limits or appropriate checks, and aligns with ATT&CK technique T1499.004 for network denial of service attacks.
The operational impact of this vulnerability is severe as it can result in complete service disruption of the Suricata engine, effectively removing network monitoring capabilities from the affected system. When triggered, the vulnerability causes the Suricata process to consume all available memory resources until the system's memory management mechanisms terminate the process. This creates a window of opportunity for attackers to perform persistent network disruption attacks, potentially masking other malicious activities while the monitoring system is offline. The vulnerability affects organizations that rely on Suricata for intrusion detection, intrusion prevention, and network security monitoring, potentially leaving critical network infrastructure exposed to undetected threats during the service disruption period. Organizations using default configurations without proper stream depth settings are particularly vulnerable, as the default SMB stream reassembly depth is unlimited, creating a persistent risk.
Mitigation strategies for CVE-2026-22258 require immediate implementation of the available patches for versions 8.0.3 and 7.0.14, which contain the necessary buffer limit enforcement. For environments where patching cannot be immediately implemented, several workarounds provide temporary protection. The most direct approach for DCERPC/UDP traffic is to disable the parser entirely, which prevents the vulnerable code path from being executed. For DCERPC/TCP implementations, adjusting the stream.reassembly.depth setting provides effective protection while maintaining network monitoring capabilities. However, for DCERPC/SMB implementations, while the stream.reassembly.depth setting can be used to limit buffer expansion, this approach requires careful consideration as imposing limits may result in loss of visibility for legitimate SMB traffic. Organizations should implement monitoring for abnormal memory usage patterns and establish automated alerting for processes approaching memory limits. The recommended approach involves configuring stream depth limits to reasonable values that balance security requirements with operational needs, typically setting limits between 1-4 MiB for SMB traffic to maintain visibility while preventing exploitation.