CVE-2026-31931
Received Received - Intake

NULL Dereference Crash in Suricata TLS ALPN Rule (v

Vulnerability report for CVE-2026-31931, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-02

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description

Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-02
Last Modified
2026-04-07
Generated
2026-07-06
AI Q&A
2026-04-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
oisf suricata From 8.0.0 (inc) to 8.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-31931 is a high-severity vulnerability in Suricata versions from 8.0.0 up to but not including 8.0.4. It is caused by a NULL pointer dereference triggered when the "tls.alpn" rule keyword is used in Suricata's TLS rules.

This NULL pointer dereference causes Suricata to crash, resulting in a denial of service. The vulnerability arises because Suricata attempts to access memory through a pointer that has not been properly initialized or has been set to NULL.

The issue was discovered by OSS Fuzz and has been fixed in Suricata version 8.0.4.

Impact Analysis

This vulnerability can cause Suricata to crash, leading to a loss of availability of the network intrusion detection and prevention services it provides.

Since the attack vector is network-based and requires no privileges or user interaction, an attacker can remotely trigger the crash by sending specially crafted network traffic that uses the "tls.alpn" keyword.

The impact is limited to availability loss; there is no impact on confidentiality or integrity of data.

Detection Guidance

This vulnerability is triggered by the use of the "tls.alpn" rule keyword in Suricata rules, which causes Suricata to crash due to a NULL pointer dereference.

To detect if your system is vulnerable, you should check the Suricata version running on your system and inspect your Suricata rules for the presence of the "tls.alpn" keyword.

  • Check Suricata version: `suricata --build-info | grep 'Version'`
  • Search for rules using the "tls.alpn" keyword: `grep -r 'tls.alpn' /etc/suricata/rules/` (adjust path as needed)

If Suricata crashes or logs errors related to NULL pointer dereference when processing rules with "tls.alpn", this indicates the vulnerability is being triggered.

Mitigation Strategies

The vulnerability has been fixed in Suricata version 8.0.4. The immediate mitigation is to upgrade Suricata to version 8.0.4 or later.

As a workaround, you can disable or remove any rules that use the "tls.alpn" keyword to prevent Suricata from crashing.

Note that no common rulesets currently use the "tls.alpn" keyword, so disabling such rules should have minimal impact.

Compliance Impact

This vulnerability in Suricata causes a denial of service through a crash due to a NULL pointer dereference when processing the "tls.alpn" rule keyword. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the loss of availability caused by this vulnerability could affect operational continuity, which may indirectly impact compliance if critical security monitoring is disrupted.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart