CVE-2025-64332 Overview
CVE-2025-64332 is a stack overflow vulnerability in Suricata, a widely-deployed network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine developed by the Open Information Security Foundation (OISF) and the Suricata community. The vulnerability exists in the SWF (Shockwave Flash) decompression functionality and can cause Suricata to crash when processing maliciously crafted network traffic, resulting in a denial of service condition.
Critical Impact
Attackers can remotely crash Suricata instances with SWF decompression enabled, potentially disrupting network security monitoring and allowing malicious traffic to pass undetected during the service outage.
Affected Products
- OISF Suricata versions prior to 7.0.13
- OISF Suricata versions prior to 8.0.2
- Any Suricata deployment with SWF decompression enabled in suricata.yaml
Discovery Timeline
- 2025-11-26 - CVE-2025-64332 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-64332
Vulnerability Analysis
This vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). The flaw exists in Suricata's SWF file decompression routine, where a variable-length array is allocated on the stack rather than the heap. When processing compressed SWF data, particularly LZMA-compressed content, the compressed data buffer is allocated directly on the stack. If the compressed_data_len value is sufficiently large, this allocation exceeds available stack space, causing a stack overflow and subsequent crash.
The vulnerability is network-exploitable and requires no authentication or user interaction to trigger. An attacker can craft network traffic containing malicious SWF content that, when processed by Suricata's decompression engine, triggers the stack overflow condition. While SWF decompression is disabled by default in Suricata configurations, environments that have enabled this feature for deep packet inspection of Flash content are at risk.
Root Cause
The root cause is improper memory allocation in the util-file-decompression.c source file. The vulnerable code allocates the compressed_data buffer as a stack-local variable using a variable-length array (VLA) with size determined by user-controlled input. Stack allocations have strict size limitations, and when the compressed_data_len value exceeds the available stack space, a stack overflow occurs. This is a classic example of unsafe memory management where heap allocation should be used for variable-sized buffers.
Attack Vector
The attack exploits Suricata's network-facing packet inspection capabilities. An attacker can send specially crafted network traffic containing SWF content with manipulated compression metadata. When Suricata's SWF decompression module processes this traffic, it attempts to allocate an oversized buffer on the stack, triggering the overflow and causing the Suricata process to crash. This denial of service can be sustained by repeatedly sending malicious packets.
// Security patch from util-file-decompression.c
// Source: https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117
* | LZMA properties | Uncompressed length | Compressed data |
*/
compressed_data_len += 13;
- uint8_t compressed_data[compressed_data_len];
+ uint8_t *compressed_data = SCCalloc(1, compressed_data_len);
+ if (compressed_data == NULL) {
+ goto error;
+ }
/* put lzma properties */
memcpy(compressed_data, buffer + 12, 5);
/* put lzma end marker */
The fix moves the allocation from the stack to the heap using SCCalloc(), which can safely handle variable-sized allocations and includes proper NULL checking for allocation failures.
Detection Methods for CVE-2025-64332
Indicators of Compromise
- Unexpected Suricata process crashes or restarts in logs
- Segmentation fault (SIGSEGV) entries in system logs associated with Suricata
- Sudden gaps in network monitoring data indicating service interruptions
- Network traffic containing malformed or unusually large SWF content payloads
Detection Strategies
- Monitor Suricata service health and implement automatic alerting on process crashes
- Review system logs for stack overflow or segmentation fault indicators related to Suricata processes
- Analyze network traffic for anomalous SWF file transfers, particularly with unusual compression headers
- Implement watchdog processes to detect and alert on Suricata service disruptions
Monitoring Recommendations
- Deploy process monitoring to track Suricata uptime and restart frequency
- Configure log aggregation to capture and alert on Suricata crash events
- Establish baseline metrics for Suricata resource usage to detect anomalous behavior
- Implement network flow monitoring to identify potential exploitation attempts
How to Mitigate CVE-2025-64332
Immediate Actions Required
- Verify if SWF decompression is enabled in your suricata.yaml configuration file
- If SWF decompression is not required, disable it immediately as a temporary mitigation
- Plan and execute an upgrade to Suricata version 7.0.13 or 8.0.2 or later
- Monitor Suricata instances for unusual crashes or restarts while preparing patches
Patch Information
OISF has released patched versions to address this vulnerability. Organizations should upgrade to Suricata 7.0.13 or 8.0.2 depending on their version branch. The fix (commit ad446c9006a77490af51c468aae0ce934f4d2117) moves the vulnerable stack allocation to heap memory, eliminating the stack overflow condition. Patch details are available in the GitHub Security Advisory GHSA-p32q-7wcp-gv92.
Workarounds
- Disable SWF decompression by setting swf-decompression: no in suricata.yaml (this is the default setting)
- If SWF decompression must remain enabled, set decompress-depth to a value lower than half your system's stack size limit
- Implement network-level filtering to block or quarantine suspicious SWF content before it reaches Suricata
- Deploy redundant Suricata instances to maintain monitoring coverage if one instance crashes
# Configuration example for suricata.yaml
# Disable SWF decompression (recommended mitigation)
file-extraction:
swf-decompression: no
# OR if SWF decompression is required, limit decompress-depth
# Check your stack size with: ulimit -s
# Set decompress-depth to less than half that value
file-extraction:
swf-decompression: yes
decompress-depth: 4096 # Adjust based on your stack size
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
