{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22261", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.923Z", "datePublished": "2026-01-27T18:10:27.881Z", "dateUpdated": "2026-01-27T18:24:24.317Z"}, "containers": {"cna": {"title": "Suricata eve/alert: http1 xff handling can lead to denial of service", "problemTypes": [{"descriptions": [{"cweId": "CWE-1050", "lang": "en", "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf"}, {"name": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44"}, {"name": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8156", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8156"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": "< 7.0.14", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:10:27.881Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default."}], "source": {"advisory": "GHSA-5jvg-5j3p-34cf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T18:24:03.406014Z", "id": "CVE-2026-22261", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:24:24.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T18:24:03.406014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T18:24:17.079Z"}}], "cna": {"title": "Suricata eve/alert: http1 xff handling can lead to denial of service", "source": {"advisory": "GHSA-5jvg-5j3p-34cf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": "< 7.0.14"}, {"status": "affected", "version": ">= 8.0.0, < 8.0.3"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44", "name": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667", "name": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667", "tags": ["x_refsource_MISC"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8156", "name": "https://redmine.openinfosecfoundation.org/issues/8156", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1050", "description": "CWE-1050: Excessive Platform Resource Consumption within a Loop"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T18:10:27.881Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22261", "state": "PUBLISHED", "dateUpdated": "2026-01-27T18:24:24.317Z", "dateReserved": "2026-01-07T05:19:12.923Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T18:10:27.881Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B0F0-AF2D-4140-BC66-9186EF7E455D", "versionEndExcluding": "7.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA8362-52A2-4ACC-83F7-CA2E77AE89C6", "versionEndExcluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default."}], "id": "CVE-2026-22261", "lastModified": "2026-01-29T21:02:34.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-27T19:16:14.173", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://redmine.openinfosecfoundation.org/issues/8156"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1050"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "suricata: Suricata: Denial of Service due to XFF handling inefficiencies", "id": "2433482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433482"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1050", "details": ["A flaw was found in Suricata, a network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. Various inefficiencies in its eXtended Forwarded For (XFF) handling, particularly for alerts not triggered in a transaction, can lead to severe slowdowns. This vulnerability could allow a remote attacker to cause a Denial of Service by sending specially crafted network traffic."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that XFF support is disabled in the Suricata eve configuration. This setting is disabled by default, so no action is required unless it has been explicitly enabled. If XFF support has been enabled, it can be disabled in the Suricata configuration file. A service restart may be required for changes to take effect."}, "name": "CVE-2026-22261", "public_date": "2026-01-27T18:10:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22261\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22261\nhttps://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44\nhttps://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667\nhttps://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf\nhttps://redmine.openinfosecfoundation.org/issues/8156"], "statement": "This is a LOW impact denial of service vulnerability in Suricata's XFF handling. Red Hat products shipping Suricata are not affected by default, as XFF support is disabled by default in the eve configuration. Exploitation would require an administrator to explicitly enable XFF support.", "threat_severity": "Low"}

{"created": "2026-01-28T12:21:52.511563+00:00", "updated": "2026-01-28T12:21:52.511597+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}