Skip to main content

Red Hat CVE-2026-31937

| EUVDEUVD-2026-18246 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-04-02 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 15:00 euvd
EUVD-2026-18246
Analysis Generated
Apr 02, 2026 - 15:00 vuln.today
CVE Published
Apr 02, 2026 - 14:38 nvd
HIGH 7.5

DescriptionGitHub Advisory

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

AnalysisAI

Network denial-of-service in Suricata prior to 7.0.15 allows remote unauthenticated attackers to degrade intrusion detection performance via inefficient DCERPC buffering. The flaw enables attackers to bypass or impair network security monitoring by exhausting system resources through malformed DCERPC traffic, effectively blinding detection capabilities. No public exploit identified at time of analysis, though EPSS score and exploitation likelihood were not provided in available data.

Technical ContextAI

Suricata is an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) engine maintained by the Open Information Security Foundation (OISF). This vulnerability stems from CWE-407 (Inefficient Algorithmic Complexity), specifically in the DCERPC (Distributed Computing Environment Remote Procedure Call) protocol parser. DCERPC is Microsoft's RPC implementation used extensively in Windows networks for inter-process communication. The inefficient buffering implementation causes excessive resource consumption when processing DCERPC traffic, degrading the engine's ability to inspect network traffic at line rate. This affects the core packet inspection pipeline, making Suricata vulnerable to resource exhaustion attacks that could allow malicious traffic to pass uninspected during performance degradation periods.

RemediationAI

Organizations should immediately upgrade to Suricata version 7.0.15 or later, which contains the vendor-released patch addressing the inefficient DCERPC buffering issue. The fix is available from the Open Information Security Foundation's official repositories and distribution channels. Administrators should verify the upgrade by checking the running version with 'suricata --build-info' and reviewing logs for performance improvements when processing DCERPC traffic. For environments unable to immediately upgrade, consider temporarily disabling DCERPC protocol inspection if this traffic type is not critical to the security monitoring posture, though this workaround reduces detection capabilities. SUSE users should apply security updates through their standard package management channels once vendor packages are released. Detailed patch information and installation guidance is provided in the GitHub security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-86vg-w8vm-m3gg. After upgrading, monitor system resource utilization and alert performance to confirm resolution of the performance degradation issue.

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-31937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy