CVE-2026-31931
Received Received - Intake
NULL Dereference Crash in Suricata TLS ALPN Rule (v

Publication date: 2026-04-02

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31931
EUVD
EUVD-2026-18237
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oisf suricata From 8.0.0 (inc) to 8.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31931 is a high-severity vulnerability in Suricata versions from 8.0.0 up to but not including 8.0.4. It is caused by a NULL pointer dereference triggered when the "tls.alpn" rule keyword is used in Suricata's TLS rules.

This NULL pointer dereference causes Suricata to crash, resulting in a denial of service. The vulnerability arises because Suricata attempts to access memory through a pointer that has not been properly initialized or has been set to NULL.

The issue was discovered by OSS Fuzz and has been fixed in Suricata version 8.0.4.

Impact Analysis

This vulnerability can cause Suricata to crash, leading to a loss of availability of the network intrusion detection and prevention services it provides.

Since the attack vector is network-based and requires no privileges or user interaction, an attacker can remotely trigger the crash by sending specially crafted network traffic that uses the "tls.alpn" keyword.

The impact is limited to availability loss; there is no impact on confidentiality or integrity of data.

Detection Guidance

This vulnerability is triggered by the use of the "tls.alpn" rule keyword in Suricata rules, which causes Suricata to crash due to a NULL pointer dereference.

To detect if your system is vulnerable, you should check the Suricata version running on your system and inspect your Suricata rules for the presence of the "tls.alpn" keyword.

  • Check Suricata version: `suricata --build-info | grep 'Version'`
  • Search for rules using the "tls.alpn" keyword: `grep -r 'tls.alpn' /etc/suricata/rules/` (adjust path as needed)

If Suricata crashes or logs errors related to NULL pointer dereference when processing rules with "tls.alpn", this indicates the vulnerability is being triggered.

Mitigation Strategies

The vulnerability has been fixed in Suricata version 8.0.4. The immediate mitigation is to upgrade Suricata to version 8.0.4 or later.

As a workaround, you can disable or remove any rules that use the "tls.alpn" keyword to prevent Suricata from crashing.

Note that no common rulesets currently use the "tls.alpn" keyword, so disabling such rules should have minimal impact.

Compliance Impact

This vulnerability in Suricata causes a denial of service through a crash due to a NULL pointer dereference when processing the "tls.alpn" rule keyword. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise data confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the loss of availability caused by this vulnerability could affect operational continuity, which may indirectly impact compliance if critical security monitoring is disrupted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart