The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-53538

CVE-2025-53538: Oisf Suricata HTTP/2 DoS Vulnerability

CVE-2025-53538 is a denial of service flaw in Oisf Suricata's HTTP/2 parser that causes uncontrolled memory usage and loss of visibility. This article covers technical details, affected versions, impact, and mitigation.

Published: April 22, 2026

CVE-2025-53538 Overview

CVE-2025-53538 is a resource exhaustion vulnerability affecting Suricata, the open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine developed by the Open Information Security Foundation (OISF). The vulnerability exists in the HTTP/2 parser component and stems from improper handling of data frames sent on HTTP/2 stream 0, which according to RFC 9113 should never contain application data. This mishandling can lead to uncontrolled memory consumption, ultimately resulting in loss of network visibility—a critical failure mode for security monitoring infrastructure.

Critical Impact

Attackers can exploit this vulnerability remotely without authentication to cause memory exhaustion in Suricata deployments, potentially disabling network security monitoring and intrusion detection capabilities during an active attack.

Affected Products

  • OISF Suricata versions 7.0.10 and below
  • OISF Suricata version 8.0.0-beta1
  • OISF Suricata version 8.0.0-rc1

Discovery Timeline

  • July 22, 2025 - CVE-2025-53538 published to NVD
  • October 6, 2025 - Last updated in NVD database

Technical Details for CVE-2025-53538

Vulnerability Analysis

This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The issue arises from how Suricata's HTTP/2 parser handles data frames received on stream ID 0. Per the HTTP/2 specification (RFC 9113 Section 5.1.1), stream 0 is reserved for connection-level control frames and should never carry DATA frames. However, vulnerable versions of Suricata failed to properly reject or limit data on this stream, allowing attackers to send malformed HTTP/2 traffic that triggers unbounded memory allocation.

The vulnerability is particularly concerning because it targets network security infrastructure itself. When a Suricata sensor experiences memory exhaustion, it may fail to inspect network traffic, effectively blinding security teams during what could be the most critical moment—an active intrusion attempt. The attack can be executed remotely over the network without any authentication or user interaction required.

Root Cause

The root cause lies in the HTTP/2 parser's failure to validate that DATA frames are not sent on stream 0 as required by the HTTP/2 specification. Additionally, the code incorrectly treated global transactions (those associated with stream 0) as potentially holding files, which led to improper resource tracking and memory allocation. The fix introduces explicit validation to detect and flag data frames on stream 0 as a protocol violation, along with correcting the file handling logic for global transactions.

Attack Vector

An attacker can exploit this vulnerability by sending crafted HTTP/2 traffic to a network segment monitored by a vulnerable Suricata deployment. The attack involves sending HTTP/2 DATA frames on stream 0, which violates the protocol specification. When Suricata receives this malformed traffic, the parser mishandles it, leading to unbounded memory allocation. The attack requires no authentication and can be executed from any network position that can send traffic visible to the Suricata sensor.

The following code shows the security patches applied to address this vulnerability:

HTTP/2 Event Detection Rule Addition:

text
 alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 dns request too long"; flow:established,to_server; app-layer-event:http2.dns_request_too_long; classtype:protocol-command-decode; sid:2290016; rev:1;)
 alert http2 any any -> any any (msg:"SURICATA HTTP2 dns response too long"; flow:established,to_client; app-layer-event:http2.dns_response_too_long; classtype:protocol-command-decode; sid:2290017; rev:1;)
+alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;)

Source: GitHub Commit - HTTP/2 Stream 0 Detection

Rust Parser Event Enumeration Update:

rust
     ReassemblyLimitReached,
     DnsRequestTooLong,
     DnsResponseTooLong,
+    DataStreamZero,
 }

 pub struct HTTP2DynTable {

Source: GitHub Commit - Event Type Addition

Global Transaction File Handling Fix:

rust
         self.tx_id += 1;
         tx.tx_id = self.tx_id;
         tx.state = HTTP2TransactionState::HTTP2StateGlobal;
-        tx.tx_data.update_file_flags(self.state_data.file_flags);
-        // TODO can this tx hold files?
-        tx.tx_data.file_tx = STREAM_TOSERVER|STREAM_TOCLIENT; // might hold files in both directions
-        tx.update_file_flags(tx.tx_data.file_flags);
+        // a global tx (stream id 0) does not hold files cf RFC 9113 section 5.1.1
         self.transactions.push_back(tx);
         return self.transactions.back_mut().unwrap();
     }

Source: GitHub Commit - File Flags Fix

Detection Methods for CVE-2025-53538

Indicators of Compromise

  • Unusual memory growth patterns in Suricata processes without corresponding increase in legitimate traffic volume
  • HTTP/2 connections containing DATA frames with stream ID 0 in network packet captures
  • Suricata log entries indicating http2.data_stream_zero events after applying detection signatures
  • Unexplained gaps in IDS/IPS alert coverage or flow logging during periods of network activity

Detection Strategies

  • Deploy the vendor-recommended detection signature: drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) which tests for HTTP/2 DATA frame type with stream ID 0
  • Monitor Suricata process memory utilization with alerting thresholds for anomalous growth patterns
  • Enable the http2.data_stream_zero app-layer event detection in updated Suricata versions (7.0.11+ and 8.0.0+)
  • Implement network-level logging to capture HTTP/2 frame details for forensic analysis

Monitoring Recommendations

  • Configure system-level monitoring for Suricata memory usage with automated alerting when thresholds are exceeded
  • Enable Suricata statistics logging (stats.log) to track HTTP/2 parser anomalies and resource utilization trends
  • Implement redundant network monitoring coverage to detect security visibility gaps if primary Suricata sensors fail
  • Review HTTP/2 traffic patterns for connections that deviate from normal protocol behavior

How to Mitigate CVE-2025-53538

Immediate Actions Required

  • Upgrade Suricata to version 7.0.11 or 8.0.0 immediately to address this vulnerability
  • If immediate patching is not possible, implement the detection signature to drop malicious traffic as a temporary mitigation
  • Review Suricata deployment architecture to ensure redundant monitoring coverage in case of sensor failure
  • Audit recent logs for signs of exploitation attempts or unexplained resource consumption events

Patch Information

OISF has released patched versions of Suricata that address this vulnerability. Users should upgrade to version 7.0.11 for the 7.x branch or version 8.0.0 for the 8.x branch. The fixes are documented in the GitHub Security Advisory GHSA-qrr7-crgj-cmh3. The patches introduce proper validation for HTTP/2 stream 0 data handling and correct the file flag behavior for global transactions.

Workarounds

  • Disable the HTTP/2 parser entirely in Suricata configuration if HTTP/2 monitoring is not critical to your environment
  • Implement the inline blocking signature provided in the advisory to drop malicious HTTP/2 traffic before it reaches the vulnerable parser
  • Consider deploying upstream network filtering to block suspicious HTTP/2 traffic patterns before they reach Suricata sensors
  • Enable resource limits for the Suricata process at the operating system level to prevent complete system resource exhaustion
bash
# Suricata configuration workaround - Disable HTTP/2 parser
# In suricata.yaml, locate the app-layer protocols section and disable http2:

app-layer:
  protocols:
    http2:
      enabled: no

# Alternative: Deploy detection/blocking signature
# Add to local.rules or appropriate rules file:
drop http2 any any -> any any (msg:"CVE-2025-53538 HTTP2 Stream 0 Data Attack"; frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid:2025535381; rev:1;)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechSuricata
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Commit Update
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-31937: Suricata DCERPC DOS Vulnerability
  • CVE-2026-31935: Suricata HTTP2 DoS Vulnerability
  • CVE-2026-31934: Suricata SMTP DoS Vulnerability
  • CVE-2026-31933: Suricata IDS/IPS DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English