Skip to main content

Red Hat EUVDEUVD-2026-18237

| CVE-2026-31931 HIGH
NULL Pointer Dereference (CWE-476)
2026-04-02 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 14:22 euvd
EUVD-2026-18237
Analysis Generated
Apr 02, 2026 - 14:22 vuln.today
CVE Published
Apr 02, 2026 - 14:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.

AnalysisAI

NULL pointer dereference in Suricata 8.0.0 through 8.0.3 causes denial of service when processing malformed TLS traffic with the 'tls.alpn' rule keyword. Remote unauthenticated attackers can crash the IDS/IPS engine by sending specially crafted network packets, completely disabling network security monitoring. EPSS data not available, but the low attack complexity (AC:L) and network vector (AV:N) combined with high availability impact (A:H) indicate significant operational risk for organizations relying on Suricata for traffic inspection. No evidence of active exploitation (no CISA KEV listing) or public exploit code identified at time of analysis.

Technical ContextAI

Suricata is an open-source network intrusion detection system, intrusion prevention system, and network security monitoring engine. The vulnerability stems from CWE-476 (NULL Pointer Dereference) in the TLS Application-Layer Protocol Negotiation (ALPN) inspection logic. The 'tls.alpn' keyword is used in Suricata rules to match against the ALPN extension in TLS handshakes, which allows clients and servers to negotiate application protocols during connection establishment. When processing certain malformed TLS packets or ALPN data structures, the inspection code attempts to dereference a NULL pointer without proper validation, triggering a segmentation fault and immediate process termination. This affects Suricata's core packet inspection pipeline, impacting all configured security rules that utilize TLS ALPN matching. The issue is isolated to the 8.0.x release branch, specifically versions 8.0.0 through 8.0.3, suggesting it was introduced during feature development or refactoring in the 8.0 major release.

RemediationAI

Vendor-released patch: Upgrade to Suricata version 8.0.4 or later, which contains the fix for the NULL pointer dereference issue. The patch is available through the official Suricata GitHub repository and distribution package managers. Organizations should update using their standard deployment methods, whether compiling from source or using distribution packages. For SUSE Linux environments, monitor vendor security channels for updated packages addressing this CVE. The security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3 provides official guidance from the Open Information Security Foundation. As an interim mitigation for environments where immediate patching is not feasible, administrators can review active rulesets and temporarily disable rules containing the 'tls.alpn' keyword, though this reduces detection capabilities for TLS-based threats. Organizations should audit their Suricata rule configurations to identify affected rules before implementing this workaround. After upgrading, verify Suricata service stability and rule functionality through testing in non-production environments before production deployment. Monitor Suricata logs for any crash or restart events that may indicate exploitation attempts against unpatched systems.

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-18237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy