SB2026060304 - Multiple vulnerabilities in Suricata
Published: June 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 vulnerabilities.
1) Deadlock (CVE-ID: CVE-2026-46352)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to deadlock in IP defragmentation code when processing fragmented traffic containing an encapsulated tunnel protocol whose payload is itself fragmented. A remote attacker can send specially crafted fragmented traffic to cause a denial of service.
2) Out-of-bounds write (CVE-ID: CVE-2026-45770)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass the Lua sandbox.
The vulnerability exists due to out-of-bounds write in the Lua detection state when registering excessive flow variables in a Lua rule. A remote attacker can load a crafted Lua script or rule to bypass the Lua sandbox.
This requires an affected Lua script or rule to be loaded.
3) Improper handling of highly compressed data (CVE-ID: CVE-2026-46387)
CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of highly compressed data in the HTTP/2 decompression path when processing compressed HTTP/2 DATA payloads. A remote attacker can send a specially crafted compressed payload to cause a denial of service.
The issue can cause excessive memory allocation while decompressing gzip, deflate, or brotli-compressed response bodies.
4) NULL pointer dereference (CVE-ID: CVE-2026-45747)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in TlsGetCertInfo when processing crafted TLS traffic with absent certificate fields. A remote attacker can send crafted TLS traffic to cause a denial of service.
Only deployments using affected Lua TLS scripting are vulnerable.
5) Use-after-free (CVE-ID: CVE-2026-45751)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the inspection-buffer helper when processing specific network traffic with a chained transform that causes the backing buffer to be reallocated. A remote attacker can trigger the vulnerable traffic processing to cause a denial of service.
Exploitation requires a specific but not malicious rule.
6) Use-after-free (CVE-ID: CVE-2026-45752)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in decompress transform pipeline when processing network traffic with certain chained detection transforms. A remote attacker can trigger the vulnerable code path to cause a denial of service.
Exploitation requires a malicious rule that chains gunzip or zlib_deflate with max-size greater than 4096 after another transform.
7) Resource exhaustion (CVE-ID: CVE-2026-45759)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in HTTP response body processing when parsing large HTTP Content-Disposition headers. A remote attacker can send crafted HTTP traffic to cause a denial of service.
8) Heap-based buffer overflow (CVE-ID: CVE-2026-45761)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in the rule parser when loading crafted mixed-case frame syntax in signatures. A local user can load a specially crafted rule to cause a denial of service.
The issue is triggered during rule parsing and loading rather than by network traffic alone.
9) Type Confusion (CVE-ID: CVE-2026-45762)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to access of resource using incompatible type in the IP defragmentation tracker lookup when processing crafted fragmented IPv4 and IPv6 traffic. A remote attacker can send specially crafted fragmented packets to cause a denial of service.
An IPv6 fragment may be associated with an IPv4 defragmentation tracker during defragmentation.
10) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-45763)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the Lua sandbox when executing Lua rules. A remote attacker can use a crafted Lua script or rule with certain allocation patterns to cause a denial of service.
This requires Lua rule execution to be enabled and an affected Lua script or rule to be loaded.
11) Type Confusion (CVE-ID: CVE-2026-45764)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to type confusion in the HTTP/2 traffic processing logic when processing crafted HTTP/2 traffic with a protocol change. A remote attacker can send specially crafted traffic to cause a denial of service.
12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-45765)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the DNP3 reassembly logic when processing crafted DNP3 traffic. A remote attacker can send specially crafted DNP3 traffic to cause a denial of service.
DNP3 is not enabled by default.
13) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-45766)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the NFS parser state structures when processing crafted NFS traffic. A remote attacker can send crafted NFS traffic to cause a denial of service.
14) Resource exhaustion (CVE-ID: CVE-2026-45769)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the IKEv2 parser state when processing repeated crafted UDP traffic that stores client transforms. A remote attacker can send repeated crafted UDP traffic to cause a denial of service.
15) Resource exhaustion (CVE-ID: CVE-2026-45768)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the LDAP transaction state when processing crafted LDAP traffic over UDP. A remote attacker can send specially crafted traffic to cause a denial of service.
16) Path traversal (CVE-ID: CVE-2026-45767)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite arbitrary files.
The vulnerability exists due to path traversal in the datasets save and load command handling when loading or reloading a malicious rule that combines save to an absolute filename with the load command. A remote privileged user can provide a specially crafted rule to overwrite arbitrary files.
Remediation
Install update from vendor's website.
References
- https://github.com/OISF/suricata/security/advisories/GHSA-rc34-46x6-mxxm
- https://redmine.openinfosecfoundation.org/issues/8550
- https://github.com/OISF/suricata/security/advisories/GHSA-653j-cc95-vj4c
- https://redmine.openinfosecfoundation.org/issues/8556
- https://github.com/OISF/suricata/security/advisories/GHSA-45p7-j5wm-8wrx
- https://redmine.openinfosecfoundation.org/issues/8513
- https://github.com/OISF/suricata/security/advisories/GHSA-vfc5-9844-rmhv
- https://redmine.openinfosecfoundation.org/issues/6286
- https://github.com/OISF/suricata/security/advisories/GHSA-59q6-j4w8-8pjx
- https://redmine.openinfosecfoundation.org/issues/8537
- https://github.com/OISF/suricata/security/advisories/GHSA-qmc9-vqq2-8mv3
- https://redmine.openinfosecfoundation.org/issues/8536
- https://github.com/OISF/suricata/security/advisories/GHSA-cfq5-g2v5-6652
- https://redmine.openinfosecfoundation.org/issues/8529
- https://github.com/OISF/suricata/security/advisories/GHSA-r74x-74x5-r9vm
- https://redmine.openinfosecfoundation.org/issues/8526
- https://github.com/OISF/suricata/security/advisories/GHSA-gv2j-f6jv-3878
- https://redmine.openinfosecfoundation.org/issues/8510
- https://github.com/OISF/suricata/security/advisories/GHSA-9h43-frr8-xx6m
- https://redmine.openinfosecfoundation.org/issues/8507
- https://github.com/OISF/suricata/security/advisories/GHSA-5rvq-72r5-rqhr
- https://redmine.openinfosecfoundation.org/issues/8492
- https://github.com/OISF/suricata/security/advisories/GHSA-m8x4-c78g-r4vj
- https://redmine.openinfosecfoundation.org/issues/8460
- https://github.com/OISF/suricata/security/advisories/GHSA-jqr4-ch38-wvm6
- https://redmine.openinfosecfoundation.org/issues/8418
- https://github.com/OISF/suricata/security/advisories/GHSA-hg2g-r464-5593
- https://redmine.openinfosecfoundation.org/issues/8415
- https://github.com/OISF/suricata/security/advisories/GHSA-cr4x-w4c4-57p7
- https://redmine.openinfosecfoundation.org/issues/8405
- https://github.com/OISF/suricata/security/advisories/GHSA-gfxq-gffp-w9rv
- https://redmine.openinfosecfoundation.org/issues/8546