Suricata http1: quadratic complexity in headers parsing over multiple packets

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.

Basic Information

ID CVE-2026-22263

Source GitHub_M

Published Jan 27, 2026 at 18:27

Modified Jan 27, 2026 at 19:56

Affected Product

Vendor OISF

Product suricata

Version >= 8.0.0, < 8.0.3

Affected Versions OISF suricata >= 8.0.0, < 8.0.3

CWE Classification

CWE-1050

References

{
    "lastseen": "",
    "description": "Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.",
    "published": "2026-01-27T18:27:45.351Z",
    "modified": "2026-01-27T19:56:34.976Z",
    "type": "cve",
    "title": "Suricata http1: quadratic complexity in headers parsing over multiple packets",
    "source": "GitHub_M",
    "references": "https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7\nhttps://github.com/OISF/suricata/commit/018a377f74e3eb2b042c6f783ad9043060923428\nhttps://redmine.openinfosecfoundation.org/issues/8201",
    "id": "CVE-2026-22263",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1050"
    ],
    "cvelist": null,
    "sourceData": "OISF suricata >= 8.0.0, < 8.0.3",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "suricata",
    "version": ">= 8.0.0, < 8.0.3",
    "vendor": "OISF",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Suricata http1: quadratic complexity in headers parsing over multiple packets_CVE-2026-22263