CVE-2026-31935: Oisf Suricata DOS Vulnerability

CVE-2026-31935 Overview

CVE-2026-31935 affects Suricata, an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine maintained by the Open Information Security Foundation (OISF). Attackers can flood the engine with crafted HTTP/2 CONTINUATION frames to exhaust process memory. The operating system typically terminates the Suricata process once memory limits are reached. The flaw impacts versions prior to 7.0.15 and 8.0.4 and is tracked under [CWE-400] Uncontrolled Resource Consumption.

Critical Impact

Remote attackers can crash Suricata sensors without authentication by sending malformed HTTP/2 traffic, disabling network detection and prevention coverage.

Affected Products

• OISF Suricata versions prior to 7.0.15
• OISF Suricata 8.x versions prior to 8.0.4
• Deployments using HTTP/2 protocol parsing in IDS, IPS, or NSM mode

Discovery Timeline

• 2026-04-02 - CVE-2026-31935 published to NVD
• 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-31935

Vulnerability Analysis

The vulnerability resides in Suricata's HTTP/2 protocol parser. HTTP/2 uses CONTINUATION frames to extend header block fragments across multiple frames. Suricata accumulates these frames in memory while reassembling the complete header block.

An attacker can send an unbounded stream of crafted CONTINUATION frames over a single HTTP/2 connection. Suricata buffers each frame without enforcing a meaningful upper limit on aggregate size. Memory consumption grows until the host operating system intervenes and terminates the process through out-of-memory (OOM) handling.

The attack requires no authentication or user interaction because Suricata passively inspects traffic on monitored network segments. Any traffic the sensor observes can trigger the parser.

Root Cause

The root cause is missing resource bounds on HTTP/2 continuation frame reassembly. The parser tracks per-stream header data but does not cap the cumulative buffer size before processing completes. This matches the [CWE-400] Uncontrolled Resource Consumption pattern.

Attack Vector

The attack vector is network-based. An attacker generates HTTP/2 traffic — either to a real server on the monitored segment or to a sinkhole controlled by the attacker — that crosses Suricata's inspection path. The crafted session contains continuous CONTINUATION frames designed to never complete the header block. Suricata's parser allocates memory until the kernel kills the process, eliminating IDS/IPS visibility on that segment.

No public proof-of-concept exploit is listed in ExploitDB, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-31935

Indicators of Compromise

• Unexpected termination of the suricata process with kernel OOM-killer log entries in /var/log/messages or dmesg.
• HTTP/2 sessions containing abnormally high counts of CONTINUATION frames without a terminating END_HEADERS flag.
• Sudden gaps in IDS event telemetry coinciding with HTTP/2 traffic spikes from a single source.

Detection Strategies

• Monitor Suricata process health and restart events through systemd journal or process supervisors.
• Inspect HTTP/2 flows for anomalous CONTINUATION frame ratios using packet capture tools such as Wireshark or Zeek.
• Correlate sensor downtime with upstream network telemetry to detect coverage loss during active traffic.

Monitoring Recommendations

• Alert on oom-killer events targeting Suricata in host logs and SIEM pipelines.
• Track memory consumption of the Suricata process and trigger alerts on rapid growth beyond baseline.
• Forward Suricata stats events (stats.log or EVE JSON) to a centralized data lake to identify gaps in event flow.

How to Mitigate CVE-2026-31935

Immediate Actions Required

• Upgrade Suricata to version 7.0.15 or 8.0.4, which contain the official fix from OISF.
• Audit all sensor deployments for HTTP/2 parsing configuration and confirm patched binaries are running.
• Configure host-level memory limits and automatic process restart to reduce monitoring downtime during exploitation attempts.

Patch Information

OISF has released fixed versions 7.0.15 and 8.0.4. Patch details and source references are available in the OISF GitHub Security Advisory GHSA-vxrp-5pg7-7v4x and the OISF Redmine issue 8289.

Workarounds

• Disable HTTP/2 parsing in suricata.yaml if upgrading is not immediately possible by setting the http2 app-layer parser to no.
• Apply systemd resource controls such as MemoryMax to constrain Suricata memory and automate restart on failure.
• Deploy redundant sensors so that termination of one instance does not eliminate detection coverage on critical segments.

# Configuration example: disable HTTP/2 parsing until patched
# /etc/suricata/suricata.yaml
app-layer:
  protocols:
    http2:
      enabled: no

# systemd unit override to enforce memory limits and auto-restart
# /etc/systemd/system/suricata.service.d/override.conf
[Service]
MemoryMax=4G
Restart=always
RestartSec=5s