CVE-2026-22261

Suricata eve/alert: http1 xff handling can lead to denial of service

CVSS 3.7 LOWEPSS 0.3%CWE-1050

In short

Suricata's handling of X-Forwarded-For (XFF) headers in HTTP alerts can cause the system to slow down significantly when processing certain network traffic. This vulnerability allows attackers to degrade the performance of network monitoring by sending specially crafted requests.

Technical detail

The vulnerability exists in Suricata's eve/alert module where inefficient XFF header processing, particularly for alerts not associated with an HTTP transaction, can cause denial of service through severe performance degradation. An attacker can exploit this by sending HTTP traffic with XFF headers that trigger the inefficient code path, causing resource exhaustion on the IDS/IPS system.

Summary generated and translated by AI from the official description.

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

OISF · suricata

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44 https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667 https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf https://redmine.openinfosecfoundation.org/issues/8156