SecuriTricks - CVE-2025-64330

Description

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled.

Product(s) Impacted

Vendor	Product	Versions
Oisf	Suricata	<7.0.13, <8.0.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-122

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	oisf	suricata	<7.0.13	/	/	/	/	/	/	/
a	oisf	suricata	<8.0.2	/	/	/	/	/	/	/

References

https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947

https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: Nov. 26, 2025, 11:15 p.m.
Last Modified: Nov. 26, 2025, 11:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-64330