A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-29915

CVE-2025-29915: Oisf Suricata DOS Vulnerability

CVE-2025-29915 is a denial of service vulnerability in Oisf Suricata caused by AF_PACKET defrag misconfigurations leading to truncated packets. This article covers technical details, affected versions, and mitigation.

Updated: May 19, 2026

CVE-2025-29915 Overview

CVE-2025-29915 affects Suricata, an open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring engine maintained by the Open Information Security Foundation (OISF). The vulnerability stems from a configuration mismatch between the AF_PACKET defragmentation feature and Suricata's default packet buffer size. When AF_PACKET reassembles fragmented packets before passing them to Suricata, the resulting reassembled packet can exceed the buffer size derived from the network interface Maximum Transmission Unit (MTU). Suricata then processes a truncated view of the traffic, which can allow attackers to evade detection signatures and inspection logic.

Critical Impact

Attackers can craft fragmented network traffic that bypasses Suricata IDS/IPS inspection, undermining the integrity of network detection without triggering alerts.

Affected Products

  • OISF Suricata versions prior to 7.0.9
  • Deployments using the default AF_PACKET capture method on Linux
  • Suricata installations relying on MTU-derived default packet size with defrag enabled

Discovery Timeline

  • 2025-04-10 - CVE-2025-29915 published to the National Vulnerability Database (NVD)
  • 2025-05-29 - Last updated in NVD database

Technical Details for CVE-2025-29915

Vulnerability Analysis

The vulnerability is classified under [CWE-347] and is rooted in inconsistent defaults between the kernel-level AF_PACKET capture interface and Suricata's user-space packet inspection engine. Suricata uses AF_PACKET as one of its primary packet acquisition methods on Linux. The defrag option for AF_PACKET is enabled by default and instructs the kernel to reassemble IP fragments before delivering them to user space.

When multiple fragments are reassembled, the resulting packet can exceed the interface MTU, commonly 1500 bytes. Suricata's default packet size is derived from that MTU, so the reassembled packet is silently truncated when copied into Suricata's inspection buffer. As a result, the detection engine inspects only the leading bytes of the reassembled flow and misses payload content beyond the truncation boundary.

Root Cause

The root cause is a mismatch between two independent defaults. The AF_PACKET capture layer produces packets larger than the MTU after defragmentation, while Suricata's allocated packet buffer is sized to the MTU. There was no warning to operators when this configuration combination produced truncation, and no event was emitted when a packet was truncated.

Attack Vector

An attacker on the network can send IP-fragmented traffic whose reassembled length exceeds the MTU-derived buffer. Malicious payloads placed in the truncated region pass through the sensor without being matched against signatures, bypassing IDS and IPS rules. The attack requires no authentication and no user interaction.

text
// Patch excerpt: rules/decoder-events.rules
// Adds a decode event so operators are alerted when AF_PACKET truncates packets
alert pkthdr any any -> any any (msg:"SURICATA packet with too many layers"; decode-event:too_many_layers; classtype:protocol-command-decode; sid:2200116; rev:1;)

# Capture events.
alert pkthdr any any -> any any (msg:"SURICATA AF-PACKET truncated packet"; decode-event:afpacket.trunc_pkt; classtype:protocol-command-decode; sid:2200122; rev:1;)

# next sid is 2200123
// Source: https://github.com/OISF/suricata/commit/d78f2c9a4e2b59f44daeddff098915084493d08d

Detection Methods for CVE-2025-29915

Indicators of Compromise

  • Triggers of the new Suricata rule SID 2200122 (SURICATA AF-PACKET truncated packet) introduced in version 7.0.9
  • Non-zero counters under the EVE JSON event.afpacket.trunc_pkt field indicating packets dropped at the capture layer
  • Unexpected gaps in protocol reconstruction logs (HTTP, TLS, DNS) for flows that contain fragmented IP traffic

Detection Strategies

  • Enable Suricata 7.0.9 decode-event rules and alert on decode-event:afpacket.trunc_pkt
  • Cross-reference EVE JSON stats output with interface-level fragmentation counters from ip -s link and ethtool -S
  • Hunt for fragmented flows where Suricata produced no application-layer logs despite matching network traffic in flow records or NetFlow exports

Monitoring Recommendations

  • Forward Suricata EVE JSON, including the new afpacket event object, into a centralized log platform for trend analysis
  • Baseline normal fragmentation volumes per sensor and alert on sudden spikes in fragmented or truncated packets
  • Validate sensor coverage with periodic synthetic fragmented traffic tests to confirm the IDS sees full reassembled payloads

How to Mitigate CVE-2025-29915

Immediate Actions Required

  • Upgrade all Suricata sensors to version 7.0.9 or later, which ships improved defaults and operator warnings
  • Audit the af-packet section of suricata.yaml and explicitly set a default-packet-size larger than the maximum expected reassembled packet
  • Deploy the updated decoder-events.rules so SID 2200122 is active and surfacing truncation events

Patch Information

The fix is delivered in the upstream commit OISF/suricata d78f2c9 and documented in the OISF GitHub Security Advisory GHSA-7m5c-cqx4-x8mp. Additional engineering context is available in the OISF Redmine task report. Operators should pull Suricata 7.0.9 packages from their distribution or rebuild from the tagged release.

Workarounds

  • Set af-packet.defrag to no to disable kernel-side reassembly and rely on Suricata's own defragmentation engine, accepting the performance trade-off
  • Increase default-packet-size in suricata.yaml to a value such as 9000 to accommodate reassembled fragments on standard Ethernet links
  • Where supported, switch the capture method to AF_XDP or DPDK and validate that packet buffers are sized above the maximum reassembled length
bash
# /etc/suricata/suricata.yaml - mitigation configuration
# 1) Ensure packet buffers are large enough for reassembled fragments
default-packet-size: 9000

# 2) AF_PACKET capture settings
af-packet:
  - interface: eth0
    defrag: yes
    # Match buffer size to the largest expected reassembled packet
    buffer-size: 64535
    use-mmap: yes
    tpacket-v3: yes

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechOisf Suricata
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-347
  • Technical References
  • OpenInfoSec Task Report
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-31935: Oisf Suricata DOS Vulnerability
  • CVE-2026-22261: Oisf Suricata DOS Vulnerability
  • CVE-2025-64334: Oisf Suricata DOS Vulnerability
  • CVE-2025-59148: Oisf Suricata DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English