CVE-2026-31931
NULL Dereference Crash in Suricata TLS ALPN Rule (v
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oisf | suricata | From 8.0.0 (inc) to 8.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31931 is a high-severity vulnerability in Suricata versions from 8.0.0 up to but not including 8.0.4. It is caused by a NULL pointer dereference triggered when the "tls.alpn" rule keyword is used in Suricata's TLS rules.
This NULL pointer dereference causes Suricata to crash, resulting in a denial of service. The vulnerability arises because Suricata attempts to access memory through a pointer that has not been properly initialized or has been set to NULL.
The issue was discovered by OSS Fuzz and has been fixed in Suricata version 8.0.4.
How can this vulnerability impact me? :
This vulnerability can cause Suricata to crash, leading to a loss of availability of the network intrusion detection and prevention services it provides.
Since the attack vector is network-based and requires no privileges or user interaction, an attacker can remotely trigger the crash by sending specially crafted network traffic that uses the "tls.alpn" keyword.
The impact is limited to availability loss; there is no impact on confidentiality or integrity of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by the use of the "tls.alpn" rule keyword in Suricata rules, which causes Suricata to crash due to a NULL pointer dereference.
To detect if your system is vulnerable, you should check the Suricata version running on your system and inspect your Suricata rules for the presence of the "tls.alpn" keyword.
- Check Suricata version: `suricata --build-info | grep 'Version'`
- Search for rules using the "tls.alpn" keyword: `grep -r 'tls.alpn' /etc/suricata/rules/` (adjust path as needed)
If Suricata crashes or logs errors related to NULL pointer dereference when processing rules with "tls.alpn", this indicates the vulnerability is being triggered.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed in Suricata version 8.0.4. The immediate mitigation is to upgrade Suricata to version 8.0.4 or later.
As a workaround, you can disable or remove any rules that use the "tls.alpn" keyword to prevent Suricata from crashing.
Note that no common rulesets currently use the "tls.alpn" keyword, so disabling such rules should have minimal impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Suricata causes a denial of service through a crash due to a NULL pointer dereference when processing the "tls.alpn" rule keyword. It impacts availability but does not affect confidentiality or integrity of data.
Since the vulnerability does not compromise data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.
However, the loss of availability caused by this vulnerability could affect operational continuity, which may indirectly impact compliance if critical security monitoring is disrupted.