SB2026042769 - Multiple vulnerabilities in Suricata

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Inefficient Algorithmic Complexity (CVE-ID: CVE-2026-31934)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient algorithmic complexity in smtp/mime URL extraction when processing mime encoded messages over SMTP. A remote attacker can send crafted SMTP messages to cause a denial of service.

The issue results in a performance impact during URL searching.

2) NULL pointer dereference (CVE-ID: CVE-2026-31931)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the tls.alpn rule keyword when processing traffic that matches rules using this keyword. A remote attacker can send crafted network traffic to cause a denial of service.

3) Inefficient Algorithmic Complexity (CVE-ID: CVE-2026-31933)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient algorithmic complexity in stream inspection when processing specially crafted traffic. A remote attacker can send specially crafted traffic to cause a denial of service.

The issue affects performance in IDS mode.

4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31935)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the http2 parser when processing crafted HTTP/2 continuation frames. A remote attacker can send a flood of crafted continuation frames to cause a denial of service.

The issue can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system.

5) Inefficient Algorithmic Complexity (CVE-ID: CVE-2026-31937)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient algorithmic complexity in dcerpc buffering when processing dcerpc traffic. A remote attacker can send crafted traffic to cause a denial of service.

6) Inefficient Algorithmic Complexity (CVE-ID: CVE-2026-31932)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to inefficient algorithmic complexity in the krb5 parser when processing krb5 buffering. A remote attacker can send crafted network traffic to cause a denial of service.

Remediation

Install update from vendor's website.

References

• https://github.com/OISF/suricata/security/advisories/GHSA-hr89-h2pp-f3c8
• https://redmine.openinfosecfoundation.org/issues/8292
• https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3
• https://github.com/OISF/suricata/security/advisories/GHSA-hvp5-gpr6-j4gp
• https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x
• https://github.com/OISF/suricata/security/advisories/GHSA-86vg-w8vm-m3gg
• https://github.com/OISF/suricata/security/advisories/GHSA-rp9m-jcpw-hggr
• https://github.com/advisories/GHSA-rp9m-jcpw-hggr