Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
AnalysisAI
NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.
Technical ContextAI
Suricata is an open-source network intrusion detection system, intrusion prevention system, and network security monitoring engine. The vulnerability stems from CWE-476 (NULL Pointer Dereference) in the TLS Application-Layer Protocol Negotiation (ALPN) inspection logic. The 'tls.alpn' keyword is used in Suricata rules to match against the ALPN extension in TLS handshakes, which allows clients and servers to negotiate application protocols during connection establishment. When processing certain malformed TLS packets or ALPN data structures, the inspection code attempts to dereference a NULL pointer without proper validation, triggering a segmentation fault and immediate process termination. This affects Suricata's core packet inspection pipeline, impacting all configured security rules that utilize TLS ALPN matching. The issue is isolated to the 8.0.x release branch, specifically versions 8.0.0 through 8.0.3, suggesting it was introduced during feature development or refactoring in the 8.0 major release.
RemediationAI
Vendor-released patch: Upgrade to Suricata version 8.0.4 or later, which contains the fix for the NULL pointer dereference issue. The patch is available through the official Suricata GitHub repository and distribution package managers. Organizations should update using their standard deployment methods, whether compiling from source or using distribution packages. For SUSE Linux environments, monitor vendor security channels for updated packages addressing this CVE. The security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3 provides official guidance from the Open Information Security Foundation. As an interim mitigation for environments where immediate patching is not feasible, administrators can review active rulesets and temporarily disable rules containing the 'tls.alpn' keyword, though this reduces detection capabilities for TLS-based threats. Organizations should audit their Suricata rule configurations to identify affected rules before implementing this workaround. After upgrading, verify Suricata service stability and rule functionality through testing in non-production environments before production deployment. Monitor Suricata logs for any crash or restart events that may indicate exploitation attempts against unpatched systems.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18237