Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31935

CVE-2026-31935: Suricata HTTP2 DoS Vulnerability

CVE-2026-31935 is a denial of service vulnerability in Suricata network IDS/IPS caused by HTTP2 continuation frame flooding that leads to memory exhaustion. This article covers technical details, affected versions, and mitigation.

Published: April 2, 2026

CVE-2026-31935 Overview

CVE-2026-31935 is a Denial of Service vulnerability affecting Suricata, a widely-deployed open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. The vulnerability exists in the HTTP/2 protocol handling code, where flooding crafted HTTP/2 continuation frames can lead to memory exhaustion, typically resulting in the Suricata process being terminated by the operating system.

Critical Impact

Attackers can remotely crash Suricata instances by sending specially crafted HTTP/2 continuation frames, potentially leaving networks unprotected and enabling subsequent attacks to go undetected.

Affected Products

  • Suricata versions prior to 7.0.15
  • Suricata versions prior to 8.0.4

Discovery Timeline

  • April 2, 2026 - CVE-2026-31935 published to NVD
  • April 2, 2026 - Last updated in NVD database

Technical Details for CVE-2026-31935

Vulnerability Analysis

This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a category of weaknesses where the software does not properly limit the consumption of resources such as memory. In this case, the Suricata engine fails to adequately control memory allocation when processing HTTP/2 continuation frames.

HTTP/2 continuation frames are designed to allow HTTP header fields that exceed the maximum frame size to be split across multiple frames. When an attacker sends a flood of maliciously crafted continuation frames, Suricata allocates memory for each incoming frame without proper bounds checking or resource limiting. This leads to progressive memory exhaustion until the operating system's out-of-memory (OOM) killer terminates the Suricata process.

The network attack vector allows remote exploitation without authentication or user interaction. An attacker with network access to monitored traffic or the ability to inject traffic can trigger this condition. The impact is limited to availability—there is no confidentiality or integrity breach—but the consequences can be severe for organizations relying on Suricata for network security monitoring and intrusion prevention.

Root Cause

The root cause lies in insufficient resource management within Suricata's HTTP/2 protocol parser. The continuation frame handler does not enforce appropriate limits on the number of continuation frames that can be processed or the total memory that can be allocated for reassembling fragmented headers. This allows an attacker to exhaust available memory through sustained delivery of continuation frames.

Attack Vector

The attack can be executed remotely over the network by any entity capable of sending HTTP/2 traffic through a network segment monitored by Suricata. The attacker initiates an HTTP/2 connection and sends a stream of continuation frames designed to maximize memory allocation. Since no authentication or privileges are required, and no user interaction is necessary, the attack surface is broad. The vulnerability is particularly concerning in environments where Suricata operates inline as an IPS, as a crash could temporarily disable network protection capabilities.

For technical details about this vulnerability, refer to the GitHub Security Advisory and the Open Information Security Foundation issue tracker.

Detection Methods for CVE-2026-31935

Indicators of Compromise

  • Sudden memory usage spikes on systems running Suricata, particularly correlating with HTTP/2 traffic
  • Suricata process terminations logged by the operating system's OOM killer in /var/log/kern.log or system journal
  • Gaps in network security monitoring data indicating periods when Suricata was unavailable
  • Unusual volumes of HTTP/2 continuation frames from specific source IP addresses

Detection Strategies

  • Monitor Suricata process health and memory consumption using system monitoring tools such as Prometheus, Grafana, or Nagios
  • Configure alerts for abnormal memory growth patterns in the Suricata process
  • Implement network flow analysis to identify anomalous HTTP/2 traffic patterns, particularly excessive continuation frames
  • Review Suricata logs for parser errors or warnings related to HTTP/2 processing

Monitoring Recommendations

  • Deploy SentinelOne Singularity™ to monitor endpoint and network infrastructure for signs of resource exhaustion attacks
  • Establish baseline memory consumption metrics for Suricata instances and alert on significant deviations
  • Enable detailed HTTP/2 logging where feasible to capture evidence of exploitation attempts
  • Implement automated restart mechanisms for Suricata with alerting to ensure rapid recovery and incident awareness

How to Mitigate CVE-2026-31935

Immediate Actions Required

  • Upgrade Suricata to version 7.0.15 or 8.0.4 (or later) immediately
  • Monitor Suricata instances for signs of resource exhaustion until patches can be applied
  • Consider temporarily disabling HTTP/2 inspection if upgrading is not immediately feasible and risk tolerance allows
  • Review network architecture to ensure redundancy in security monitoring capabilities

Patch Information

The Open Information Security Foundation (OISF) has released patched versions that address this vulnerability. Upgrade to Suricata 7.0.15 for the 7.x branch or 8.0.4 for the 8.x branch. Detailed patch information is available in the GitHub Security Advisory and the OISF issue tracker.

Workarounds

  • If immediate patching is not possible, consider disabling HTTP/2 protocol inspection in Suricata configuration as a temporary measure
  • Implement rate limiting for HTTP/2 traffic at the network perimeter to reduce the effectiveness of flooding attacks
  • Deploy additional monitoring to detect and alert on Suricata process crashes or memory exhaustion events
  • Use network segmentation to limit attacker access to systems monitored by vulnerable Suricata instances
bash
# Example: Upgrade Suricata on Debian/Ubuntu systems
sudo apt update
sudo apt install suricata

# Verify the installed version
suricata --build-info | grep -i version

# Restart Suricata service after upgrade
sudo systemctl restart suricata

# Verify Suricata is running
sudo systemctl status suricata

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechSuricata
  • SeverityHIGH
  • CVSS Score7.5
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • Technical References
  • GitHub Security Advisory
  • Open Information Security Issue
  • Related CVEs
  • CVE-2026-31937: Suricata DCERPC DOS Vulnerability
  • CVE-2026-31934: Suricata SMTP DoS Vulnerability
  • CVE-2026-31933: Suricata IDS/IPS DoS Vulnerability
  • CVE-2026-31932: Suricata KRB5 DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English