{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/null-dereference/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31931"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["suricata","denial-of-service","null-dereference"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSuricata, a network IDS, IPS, and NSM engine, is susceptible to a NULL dereference vulnerability when processing specific rule keywords. Specifically, versions 8.0.0 up to but not including 8.0.4 crash when the \u0026ldquo;tls.alpn\u0026rdquo; rule keyword is used. This vulnerability, identified as CVE-2026-31931, can be exploited to cause a denial-of-service condition, disrupting network monitoring and security operations. An attacker could craft specific network traffic or Suricata rules that trigger the flawed code path, causing the Suricata process to terminate. The vulnerability has been patched in Suricata version 8.0.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Suricata instance running a vulnerable version (8.0.0 - 8.0.3).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a Suricata rule containing the \u003ccode\u003etls.alpn\u003c/code\u003e keyword.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the crafted rule to the Suricata instance, either directly or via a configuration management system.\u003c/li\u003e\n\u003cli\u003eSuricata attempts to load and process the rule, triggering the vulnerable code path in the \u003ccode\u003etls.alpn\u003c/code\u003e processing function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code dereferences a NULL pointer, leading to a segmentation fault.\u003c/li\u003e\n\u003cli\u003eThe Suricata process crashes, terminating network intrusion detection and prevention capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process to ensure continued disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31931 results in a denial-of-service condition affecting the Suricata network security engine.  This can lead to blind spots in network monitoring, allowing malicious traffic to pass undetected. The number of affected installations depends on the adoption rate of Suricata versions 8.0.0 through 8.0.3 across various organizations and sectors. Critical network infrastructure, security operations centers, and organizations relying on Suricata for threat detection are potentially impacted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Suricata installations to version 8.0.4 or later to remediate CVE-2026-31931 (\u003ca href=\"https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3\"\u003ehttps://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting or input validation on Suricata rule deployments to prevent malicious rule injection.\u003c/li\u003e\n\u003cli\u003eMonitor Suricata process stability and restart automatically if crashes are detected, to mitigate the impact of the vulnerability (syslog, process monitoring).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:28Z","date_published":"2026-04-02T14:16:28Z","id":"/briefs/2026-04-suricata-null-dereference/","summary":"Suricata versions 8.0.0 to before 8.0.4 are vulnerable to a NULL dereference crash when using the 'tls.alpn' rule keyword, potentially leading to a denial of service.","title":"Suricata NULL Dereference Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-suricata-null-dereference/"}],"language":"en","title":"CraftedSignal Threat Feed — Null-Dereference","version":"https://jsonfeed.org/version/1.1"}