SB2026060304 - Multiple vulnerabilities in Suricata



SB2026060304 - Multiple vulnerabilities in Suricata

Published: June 3, 2026

Security Bulletin ID SB2026060304
CSH Severity
High
Patch available
YES
Number of vulnerabilities 16
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 6% Medium 81% Low 13%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 16 vulnerabilities.


1) Deadlock (CVE-ID: CVE-2026-46352)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to deadlock in IP defragmentation code when processing fragmented traffic containing an encapsulated tunnel protocol whose payload is itself fragmented. A remote attacker can send specially crafted fragmented traffic to cause a denial of service.


2) Out-of-bounds write (CVE-ID: CVE-2026-45770)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass the Lua sandbox.

The vulnerability exists due to out-of-bounds write in the Lua detection state when registering excessive flow variables in a Lua rule. A remote attacker can load a crafted Lua script or rule to bypass the Lua sandbox.

This requires an affected Lua script or rule to be loaded.


3) Improper handling of highly compressed data (CVE-ID: CVE-2026-46387)

CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in the HTTP/2 decompression path when processing compressed HTTP/2 DATA payloads. A remote attacker can send a specially crafted compressed payload to cause a denial of service.

The issue can cause excessive memory allocation while decompressing gzip, deflate, or brotli-compressed response bodies.


4) NULL pointer dereference (CVE-ID: CVE-2026-45747)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to null pointer dereference in TlsGetCertInfo when processing crafted TLS traffic with absent certificate fields. A remote attacker can send crafted TLS traffic to cause a denial of service.

Only deployments using affected Lua TLS scripting are vulnerable.


5) Use-after-free (CVE-ID: CVE-2026-45751)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in the inspection-buffer helper when processing specific network traffic with a chained transform that causes the backing buffer to be reallocated. A remote attacker can trigger the vulnerable traffic processing to cause a denial of service.

Exploitation requires a specific but not malicious rule.


6) Use-after-free (CVE-ID: CVE-2026-45752)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in decompress transform pipeline when processing network traffic with certain chained detection transforms. A remote attacker can trigger the vulnerable code path to cause a denial of service.

Exploitation requires a malicious rule that chains gunzip or zlib_deflate with max-size greater than 4096 after another transform.


7) Resource exhaustion (CVE-ID: CVE-2026-45759)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in HTTP response body processing when parsing large HTTP Content-Disposition headers. A remote attacker can send crafted HTTP traffic to cause a denial of service.


8) Heap-based buffer overflow (CVE-ID: CVE-2026-45761)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to heap-based buffer overflow in the rule parser when loading crafted mixed-case frame syntax in signatures. A local user can load a specially crafted rule to cause a denial of service.

The issue is triggered during rule parsing and loading rather than by network traffic alone.


9) Type Confusion (CVE-ID: CVE-2026-45762)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to access of resource using incompatible type in the IP defragmentation tracker lookup when processing crafted fragmented IPv4 and IPv6 traffic. A remote attacker can send specially crafted fragmented packets to cause a denial of service.

An IPv6 fragment may be associated with an IPv4 defragmentation tracker during defragmentation.


10) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-45763)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the Lua sandbox when executing Lua rules. A remote attacker can use a crafted Lua script or rule with certain allocation patterns to cause a denial of service.

This requires Lua rule execution to be enabled and an affected Lua script or rule to be loaded.


11) Type Confusion (CVE-ID: CVE-2026-45764)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to type confusion in the HTTP/2 traffic processing logic when processing crafted HTTP/2 traffic with a protocol change. A remote attacker can send specially crafted traffic to cause a denial of service.


12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-45765)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the DNP3 reassembly logic when processing crafted DNP3 traffic. A remote attacker can send specially crafted DNP3 traffic to cause a denial of service.

DNP3 is not enabled by default.


13) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-45766)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in the NFS parser state structures when processing crafted NFS traffic. A remote attacker can send crafted NFS traffic to cause a denial of service.


14) Resource exhaustion (CVE-ID: CVE-2026-45769)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the IKEv2 parser state when processing repeated crafted UDP traffic that stores client transforms. A remote attacker can send repeated crafted UDP traffic to cause a denial of service.


15) Resource exhaustion (CVE-ID: CVE-2026-45768)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the LDAP transaction state when processing crafted LDAP traffic over UDP. A remote attacker can send specially crafted traffic to cause a denial of service.


16) Path traversal (CVE-ID: CVE-2026-45767)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to overwrite arbitrary files.

The vulnerability exists due to path traversal in the datasets save and load command handling when loading or reloading a malicious rule that combines save to an absolute filename with the load command. A remote privileged user can provide a specially crafted rule to overwrite arbitrary files.


Remediation

Install update from vendor's website.

References