Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X
Local escalation by the already-authenticated suricata account (AV:L, PR:L), low complexity, no interaction; symlink abuse yields root so C/I/A all High, scope Unchanged as it stays within the host OS authority.
Primary rating from Vendor (suse).
CVSS VectorVendor: suse
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed suricata package allows the suricata user to escalate to root.
This issue affects openSUSE Tumbleweed: from ? before 8.0.5-2.1; openSUSE Tumbleweed: from ? before 8.0.5-2.1.
AnalysisAI
Local privilege escalation in the openSUSE Tumbleweed packaging of Suricata allows the unprivileged 'suricata' service account to gain root through a symbolic-link following flaw (CWE-61) in files or directories the package manages with predictable, service-writable paths. Any actor already holding the suricata user context - for example via a compromised or misconfigured IDS/IPS process - can plant a symlink that redirects a root-executed operation to a target of their choosing, yielding full system compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess the 'suricata' user context on an openSUSE Tumbleweed host running the suricata package before 8.0.5-2.1 (PR:L, AV:L) - this is a local, authenticated-as-service-account escalation, not remotely reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a credible local privilege-escalation issue but not an internet-facing emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or already controls the low-privileged suricata service account (for example after subverting the exposed detection process) places a symbolic link at a predictable path that a root-run package operation writes to or chowns. When that root operation fires - during log rotation, service restart, or a scheduled task - it follows the link and modifies an attacker-chosen target such as /etc/passwd or a root-owned script, granting root. … |
| Remediation | Apply the vendor-released patch: update the suricata package to 8.0.5-2.1 or later via 'zypper up suricata' (or a full 'zypper dup' on Tumbleweed) to obtain the fixed packaging that no longer follows attacker-controlled symlinks. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all systems running openSUSE Tumbleweed with Suricata IDS/IPS enabled and document current access controls on the suricata service account. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Functi
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suric
An issue was discovered in Suricata before 6.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit
An issue was discovered in Suricata 4.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, n
An issue was discovered in Suricata 4.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, n
An issue was discovered in Suricata 4.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, n
An issue was discovered in Suricata 4.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, n
An issue was discovered in Suricata 4.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, n
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detect
Suricata before 4.0.5 stops TCP stream inspection upon a TCP RST from a server. Rated high severity (CVSS 7.5), this vul
The MemcmpLowercase function in Suricata before 2.0.6 improperly excludes the first byte from comparisons, which might a
In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. Ra
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43633
GHSA-j33g-47h2-2687