Nixpkgs security tracker

Untriaged

Permalink CVE-2026-31932

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Suricata krb5: quadratic complexity in krb5 buffering

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.

References

https://github.com/OISF/suricata/security/advisories/GHSA-rp9m-jcpw-hggr x_refsource_CONFIRM
https://redmine.openinfosecfoundation.org/issues/8305 x_refsource_MISC

Affected products

suricata

==< 7.0.15
==>= 8.0.0, < 8.0.4

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 8.0.3
- nixpkgs-unstable 8.0.3
- nixos-unstable-small 8.0.3

Untriaged

Permalink CVE-2026-31937

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Suricata dcerpc: quadratic complexity in dcerpc buffering

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15.

References

https://github.com/OISF/suricata/security/advisories/GHSA-86vg-w8vm-m3gg x_refsource_CONFIRM
https://redmine.openinfosecfoundation.org/issues/8304 x_refsource_MISC

Affected products

suricata

==< 7.0.15

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 8.0.3
- nixpkgs-unstable 8.0.3
- nixos-unstable-small 8.0.3

Untriaged

Permalink CVE-2026-31931

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Suricata tls: null dereference in tls.alpn rule keyword

Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.

References

https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3 x_refsource_CONFIRM
https://redmine.openinfosecfoundation.org/issues/8294 x_refsource_MISC

Affected products

suricata

==>= 8.0.0, < 8.0.4

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 8.0.3
- nixpkgs-unstable 8.0.3
- nixos-unstable-small 8.0.3

Untriaged

Permalink CVE-2026-31935

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Suricata http2: unbounded resource consumption

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4.

References

https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x x_refsource_CONFIRM
https://redmine.openinfosecfoundation.org/issues/8289 x_refsource_MISC

Affected products

suricata

==< 7.0.15
==>= 8.0.0, < 8.0.4

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 8.0.3
- nixpkgs-unstable 8.0.3
- nixos-unstable-small 8.0.3

Untriaged

Permalink CVE-2026-31934

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Suricata smtp/mine: quadratic complexity in extracting urls

Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, there is a quadratic complexity issue when searching for URLs in mime encoded messages over SMTP leading to a performance impact. This issue has been patched in version 8.0.4.

References

https://github.com/OISF/suricata/security/advisories/GHSA-hr89-h2pp-f3c8 x_refsource_CONFIRM
https://redmine.openinfosecfoundation.org/issues/8292 x_refsource_MISC

Affected products

suricata

==>= 8.0.0, < 8.0.4

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 8.0.3
- nixpkgs-unstable 8.0.3
- nixos-unstable-small 8.0.3

Untriaged

Permalink CVE-2026-31933

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

created 2 months, 2 weeks ago Activity log

Created suggestion 2 months, 2 weeks ago

Suricata stream: quadratic complexity in stream inspection

Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, specially crafted traffic can cause Suricata to slow down, affecting performance in IDS mode. This issue has been patched in versions 7.0.15 and 8.0.4.

References

https://github.com/OISF/suricata/security/advisories/GHSA-hvp5-gpr6-j4gp x_refsource_CONFIRM
https://redmine.openinfosecfoundation.org/issues/8272 x_refsource_MISC

Affected products

suricata

==< 7.0.15
==>= 8.0.0, < 8.0.4

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 8.0.3
- nixpkgs-unstable 8.0.3
- nixos-unstable-small 8.0.3

Published

Permalink CVE-2026-22264

7.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 3 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

Suricata detect/alert: heap-use-after-free on alert queue expansion

Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet.

References

https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5 x_refsource_CONFIRM
https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715 x_refsource_MISC
https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2 x_refsource_MISC
https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b x_refsource_MISC
https://redmine.openinfosecfoundation.org/issues/8190 x_refsource_MISC

Affected products

suricata

==>= 8.0.0, < 8.0.3
==< 7.0.14

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 7.0.10
- nixpkgs-unstable 7.0.10
- nixos-unstable-small 7.0.10

Upstream advisory: https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5

Published

Permalink CVE-2026-22262

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 3 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

Suricata datasets: stack overflow when saving a set

Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options.

References

https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86 x_refsource_CONFIRM
https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf x_refsource_MISC
https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1 x_refsource_MISC
https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb x_refsource_MISC
https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521 x_refsource_MISC
https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658 x_refsource_MISC
https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90 x_refsource_MISC
https://redmine.openinfosecfoundation.org/issues/8110 x_refsource_MISC

Affected products

suricata

==>= 8.0.0, < 8.0.3
==< 7.0.14

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 7.0.10
- nixpkgs-unstable 7.0.10
- nixos-unstable-small 7.0.10

Upstream advisory: https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86

Published

Permalink CVE-2026-22261

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 3 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

Suricata eve/alert: http1 xff handling can lead to denial of service

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default.

References

https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf x_refsource_CONFIRM
https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44 x_refsource_MISC
https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667 x_refsource_MISC
https://redmine.openinfosecfoundation.org/issues/8156 x_refsource_MISC

Affected products

suricata

==>= 8.0.0, < 8.0.3
==< 7.0.14

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 7.0.10
- nixpkgs-unstable 7.0.10
- nixos-unstable-small 7.0.10

Upstream advisory: https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf

Published

Permalink CVE-2026-22258

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 3 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

Suricata DCERPC: unbounded fragment buffering leads to memory exhaustion

Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB.

References

https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx x_refsource_CONFIRM
https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74 x_refsource_MISC
https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830 x_refsource_MISC
https://redmine.openinfosecfoundation.org/issues/8182 x_refsource_MISC

Affected products

suricata

==>= 8.0.0, < 8.0.3
==< 7.0.14

Matching in nixpkgs

pkgs.suricata

Free and open source, mature, fast and robust network threat detection engine

nixos-unstable 7.0.10
- nixpkgs-unstable 7.0.10
- nixos-unstable-small 7.0.10

Upstream advisory: https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata

References

Affected products

Matching in nixpkgs

pkgs.suricata