CVE-2025-29916

EUVD-2025-14815
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.2 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
6.2 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
oisfsuricata
𝑥
< 7.0.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
suricata
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
vulnerable
forky
1:8.0.3-1
fixed
sid
1:8.0.3-1
fixed
trixie
1:7.0.10-1+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
suricata
bionic
needs-triage
focal
dne
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
ignored
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/OISF/suricata/commit/a7713db709b8a0be5fc5e5809ab58e9b14a16e85
https://github.com/OISF/suricata/security/advisories/GHSA-27g3-pmvp-j9cv
https://redmine.openinfosecfoundation.org/issues/7615