{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31931", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.653Z", "datePublished": "2026-04-02T14:01:03.512Z", "dateUpdated": "2026-04-02T14:18:27.902Z"}, "containers": {"cna": {"title": "Suricata tls: null dereference in tls.alpn rule keyword", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3"}, {"name": "https://redmine.openinfosecfoundation.org/issues/8294", "tags": ["x_refsource_MISC"], "url": "https://redmine.openinfosecfoundation.org/issues/8294"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": ">= 8.0.0, < 8.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:01:03.512Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the \"tls.alpn\" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4."}], "source": {"advisory": "GHSA-gr22-4784-xvw3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:18:13.377669Z", "id": "CVE-2026-31931", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:18:27.902Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T14:18:13.377669Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:18:19.353Z"}}], "cna": {"title": "Suricata tls: null dereference in tls.alpn rule keyword", "source": {"advisory": "GHSA-gr22-4784-xvw3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": ">= 8.0.0, < 8.0.4"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://redmine.openinfosecfoundation.org/issues/8294", "name": "https://redmine.openinfosecfoundation.org/issues/8294", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the \"tls.alpn\" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T14:01:03.512Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31931", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:18:27.902Z", "dateReserved": "2026-03-10T15:10:10.653Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T14:01:03.512Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the \"tls.alpn\" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4."}], "id": "CVE-2026-31931", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:28.587", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3"}, {"source": "security-advisories@github.com", "url": "https://redmine.openinfosecfoundation.org/issues/8294"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Suricata: Suricata: Denial of Service via 'tls.alpn' rule keyword", "id": "2454369", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454369"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in Suricata, a network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. An attacker could trigger a null dereference by using the \"tls.alpn\" rule keyword, causing the Suricata engine to crash. This vulnerability leads to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid using the 'tls.alpn' rule keyword in Suricata configurations. If Suricata crashes due to this vulnerability, restarting the service may temporarily restore functionality. Ensure that Suricata configurations do not include the 'tls.alpn' keyword to prevent service disruption."}, "name": "CVE-2026-31931", "public_date": "2026-04-02T14:01:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31931\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31931\nhttps://github.com/OISF/suricata/security/advisories/GHSA-gr22-4784-xvw3\nhttps://redmine.openinfosecfoundation.org/issues/8294"], "statement": "Important: Suricata is vulnerable to a denial of service when processing network traffic with rules that utilize the `tls.alpn` keyword. An attacker can trigger a null dereference, causing the Suricata engine to crash. This issue affects Suricata versions 8.0.0 through 8.0.3.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "suricata", "source": "cna", "vendor": "OISF"}, "product": "suricata", "vendor": "oisf"}], "analysis": {"en": {"generated_at": "2026-04-02T15:23:28.069514+00:00", "value": {"mitigation_remediation": ["Upgrade Suricata to version\u00a08.0.4 or later, which contains the patch for this bug."], "summary": {"action": "Apply patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw exists in Suricata releases from version\u00a08.0.0 up to, but not including, 8.0.4. Systems running any of those builds that utilize the tls.alpn rule keyword in their detection rules are at risk.\n", "description_and_impact": "Suricata, a widely used network IDS/IPS engine, contains a null dereference flaw within the tls.alpn rule keyword. When the keyword is parsed on affected builds, the program attempts to access a memory pointer that has not been initialized, causing Suricata to terminate unexpectedly. This crash prevents the engine from processing subsequent traffic and can lead to a denial of service to monitoring or protection functions.\n", "risk_and_exploitability": "The Common Vulnerability Scoring System assigns a score of\u00a07.5, indicating a high impact if the issue is triggered. Attack conditions are inferred to require that an adversary can supply traffic crafted to activate the tls.alpn rule, such as by injecting a malicious packet into the network or by modifying rule files locally. The CVE does not include an Exploit Prediction Scoring System value, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the possibility of denial of service in an IDS/IPS deployment warrants prompt remediation."}}}}, "created": "2026-04-02T20:12:25.842261+00:00", "updated": "2026-04-02T20:21:06.483240+00:00", "vendors": ["oisf", "oisf$PRODUCT$suricata"]}