Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been patched in versions 7.0.15 and 8.0.4.
AnalysisAI
Network-accessible resource exhaustion in Suricata IDS allows remote attackers to degrade detection performance via specially crafted traffic. Affects versions prior to 7.0.15 and 8.0.4 (CVSS 7.5 HIGH). Attack requires no authentication (PR:N) and low complexity (AC:L), enabling trivial performance degradation that could blind security monitoring. EPSS data not available, but no public exploit identified at time of analysis. Vendor patches released for both affected branches (7.0.15, 8.0.4).
Technical ContextAI
Suricata is an open-source network threat detection engine performing intrusion detection (IDS), prevention (IPS), and network security monitoring. The vulnerability involves CWE-407 (Inefficient Algorithmic Complexity), where specially crafted network packets trigger computationally expensive processing paths within the detection engine. This algorithmic complexity issue causes CPU resource exhaustion during traffic analysis, degrading throughput and detection coverage. The flaw affects the core traffic inspection pipeline, making it exploitable via normal network attack surface without requiring direct access to the Suricata system itself. The issue is particularly critical for IDS deployments where performance degradation creates security blind spots by preventing timely threat detection.
RemediationAI
Vendor-released patches: Upgrade to Suricata version 7.0.15 for the 7.x branch or version 8.0.4 for the 8.x branch. These versions contain fixes for the algorithmic complexity issue causing performance degradation. Download patched releases from the official OISF Suricata repository or distribution-specific package managers. For SUSE Linux Enterprise environments (noted in tags), apply updates through SUSE security channels when available. No workarounds identified-patching is the primary mitigation strategy. Verify patch effectiveness by monitoring Suricata CPU utilization and packet processing rates under typical traffic loads post-upgrade. Consult the official security advisory at https://github.com/OISF/suricata/security/advisories/GHSA-hvp5-gpr6-j4gp and implementation details at https://redmine.openinfosecfoundation.org/issues/8272 for additional technical guidance.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18241