CVE-2026-22260 Overview
CVE-2026-22260 is a stack overflow vulnerability in Suricata, the widely-deployed open-source network IDS, IPS, and NSM (Network Security Monitoring) engine developed by the Open Information Security Foundation (OISF). This vulnerability affects Suricata versions 8.0.0 through 8.0.2 and can be exploited remotely to cause the Suricata process to crash, resulting in a denial of service condition that disables network security monitoring capabilities.
Critical Impact
Remote attackers can crash Suricata instances without authentication, disabling network intrusion detection and prevention capabilities. This leaves the protected network blind to subsequent attacks during the service outage.
Affected Products
- OISF Suricata version 8.0.0
- OISF Suricata version 8.0.1
- OISF Suricata version 8.0.2
Discovery Timeline
- 2026-01-27 - CVE-2026-22260 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-22260
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion) and CWE-787 (Out-of-Bounds Write). The flaw exists in Suricata's HTTP decompression handling code, specifically in the rust/htp/src/decompressors.rs module. The vulnerability allows an attacker to trigger a stack overflow condition by sending specially crafted network traffic that causes excessive recursion during the decompression process.
The attack can be executed remotely over the network without requiring any authentication or user interaction. When exploited, the vulnerability causes the Suricata process to crash due to stack exhaustion, effectively disabling network security monitoring and intrusion prevention capabilities on the affected system.
Root Cause
The root cause of this vulnerability lies in the recursive implementation of the HTTP decompression writer in Suricata's Rust-based HTP library. When processing HTTP response bodies with certain decompression characteristics, the code would recursively call self.write(data) after flushing the writer buffer on WriteZero errors. This recursive pattern could be triggered repeatedly, causing uncontrolled stack growth until the stack is exhausted.
Non-default values for request-body-limit and response-body-limit configuration options can influence the exploitability of this issue, as they affect how much data the decompressor processes.
Attack Vector
The vulnerability is exploitable over the network by sending malicious HTTP traffic through a network segment monitored by Suricata. An attacker can craft HTTP responses with compressed content designed to trigger the recursive decompression path repeatedly. Since Suricata operates as a network security monitor, it processes all network traffic passing through it, making this attack vector particularly dangerous as the attacker doesn't need direct access to the Suricata system itself.
The following code shows the vulnerable decompression logic that was patched:
// references. Any calls using `self.writer` should be avoided while the
// writer is in this state.
} else if let Some(mut writer) = self.writer.take() {
- match writer.write(data) {
- Ok(consumed) => {
- let result = if consumed == 0 {
- // This could indicate that we have reached the end
- // of the stream. Any data after the first end of
- // stream (such as in multipart gzip) is ignored and
- // we pretend to have consumed this data.
- Ok(data.len())
- } else {
- Ok(consumed)
- };
- self.writer.replace(writer);
- result
- }
- Err(e) => {
- match e.kind() {
- std::io::ErrorKind::WriteZero => {
- self.flush_writer(&mut writer)?;
- // Recursion: the buffer was flushed until `WriteZero`
- // stopped occuring.
- self.writer.replace(writer)
- self.write(data)
- }
- _ => {
- if self.restarts == 0 {
- let written = self.try_finish(&mut writer);
- if written {
Source: GitHub Suricata Commit
Detection Methods for CVE-2026-22260
Indicators of Compromise
- Unexpected Suricata process crashes or restarts in system logs
- Stack overflow errors in Suricata logs related to decompression operations
- Anomalous HTTP traffic patterns with unusual compressed content characteristics
- Service monitoring alerts indicating repeated Suricata daemon failures
Detection Strategies
- Monitor Suricata process health and implement automated alerting for unexpected terminations
- Review system logs for stack overflow or segmentation fault errors associated with the Suricata process
- Implement process watchdog monitoring to detect and alert on rapid restart cycles
- Analyze HTTP traffic logs for patterns of compressed content that precede Suricata crashes
Monitoring Recommendations
- Deploy process monitoring tools to track Suricata daemon uptime and restart frequency
- Configure centralized logging to capture Suricata crash events and core dumps for analysis
- Implement network traffic baseline monitoring to detect anomalous decompression activity
- Set up alerts for any gaps in network security monitoring coverage
How to Mitigate CVE-2026-22260
Immediate Actions Required
- Upgrade Suricata to version 8.0.3 or later immediately
- If immediate upgrade is not possible, apply the workaround configuration to use default values for body limits
- Review and verify Suricata process monitoring is in place to detect crashes
- Ensure redundant network security monitoring capabilities are available during the upgrade process
Patch Information
OISF has released version 8.0.3 of Suricata which addresses this vulnerability. The fix removes the recursive decompression pattern and implements an iterative approach instead. The patch is available in commit 0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185. Organizations should update to Suricata 8.0.3 as soon as possible. For detailed information, refer to the GitHub Security Advisory GHSA-3gm8-84cm-5x22.
Workarounds
- Use default values for request-body-limit configuration option in suricata.yaml
- Use default values for response-body-limit configuration option in suricata.yaml
- Implement process supervision to automatically restart Suricata if it crashes
- Consider deploying redundant IDS/IPS sensors to maintain coverage during potential outages
# Configuration example - Use default body limits in suricata.yaml
# Ensure these are set to defaults or commented out to use defaults:
# request-body-limit: 100kb (default)
# response-body-limit: 100kb (default)
# Verify current Suricata version
suricata --build-info | grep "Suricata version"
# Update to patched version
sudo apt-get update && sudo apt-get install suricata=8.0.3
# Or for source installations:
# git checkout suricata-8.0.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
