Suricata is a widely-used open-source engine for network intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring (NSM). In early 2026, a significant vulnerability was discovered—CVE-2026-22258—affecting how Suricata handles certain network traffic. This post breaks down what happened, how attackers could exploit this bug, and how you can protect your systems.
What’s the Problem?
The issue’s root cause lies in Suricata’s parser for DCERPC (Distributed Computing Environment / Remote Procedure Call). In particular, when Suricata parses DCERPC traffic (especially over UDP, but also possible over TCP and SMB), it can *expand an internal buffer without limits*. This means:
- If a remote attacker sends specially-crafted DCERPC packets, Suricata keeps growing an internal buffer to handle them.
Eventually, the Suricata process gets killed by the operating system.
That means an unauthenticated attacker can cause Denial of Service (DoS) by crashing Suricata, potentially blinding your defenses.
Suricata 7.x before 7..14
If you use any of these versions, you’re at risk.
Attacker sprays network with large DCERPC packets embedding excessive data.
2. Suricata, trying to reassemble and parse this data, keeps allocating more memory for each incoming crafted packet.
2. Through TCP or SMB
While reported for UDP, the Suricata developers believe the same logic may apply over TCP and SMB transports if limits are not enforced.
- By default, Suricata limits TCP reassembly (for DCERPC/TCP) to 1 MiB—so most users are safe here *unless* they changed this setting.
- For DCERPC over SMB, there’s *no default limit*; an attacker could exploit this by sending large SMB packets carrying DCERPC.
## Proof of Concept / Exploit Details
To see how this could be abused, let’s use a simple conceptual Python snippet that simulates spraying DCERPC/UDP packets against a Suricata-protected host:
import socket
target_ip = "192.168.100.10"
target_port = 135 # DCERPC endpoint mapper
# Big dummy DCERPC packet (size can be increased for more effect)
big_packet = b"A" * 100000
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for i in range(100):
sock.sendto(big_packet, (target_ip, target_port))
print(f"Sent packet #{i+1}")
print("Done. Suricata should increase memory usage rapidly if vulnerable.")
Note: Don’t run things like this outside of your own test environment. In the real world, attackers would automate this to crash your Suricata instance deliberately.
Immediate Mitigation
Upgrade to Suricata 8..3 or 7..14 or later.
The Suricata team released patches fixing the unlimited buffer growth.
- Suricata release notes for 8..3
- Suricata release notes for 7..14
If you can't upgrade right now, you can reduce or eliminate risk
#### 1. DCERPC/UDP: Disable the parser
Edit your Suricata YAML config and find the dcerpc section. Set UDP to enabled: no
dcerpc:
enabled: yes
udp:
enabled: no
Or comment out/disable the UDP parser.
#### 2. DCERPC/TCP: Enforce Stream Depth
Make sure stream.reassembly.depth is set (1MiB is the default)
stream:
reassembly:
depth: 1mb
#### 3. DCERPC/SMB: Limit Stream Depth
By default, there's *no* limit here—add one
smb:
enabled: yes
stream-depth: 1mb # or less, adjust based on your environment
Warning: Setting a low stream depth for SMB can lead to missing events or alerts if large files are transferred.
Final Thoughts
This bug highlights the importance of always running supported, up-to-date software—especially for network security monitoring systems. Even trusted open source tools like Suricata can contain severe flaws. Make a habit of monitoring Suricata's release notes and follow their security advisories.
If you want more technical detail, see the official Suricata GitHub report:
- Suricata GitHub Issue #9109 (Private for now, will be public at patch)
Full CVE ID:
- NVD: CVE-2026-22258
Timeline
Published on: 01/27/2026 16:17:29 UTC
Last modified on: 01/29/2026 16:31:35 UTC