CVE-2025-29916

low-risk

Published 2025-04-10

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.

Do I need to act?

0.15% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.2/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Suricata

Affected Vendors

Oisf

References (3)

Patch https://github.com/OISF/suricata/commit/a7713db709b8a0be5fc5e5809ab58e9b14a16e85

Vendor Advisory https://github.com/OISF/suricata/security/advisories/GHSA-27g3-pmvp-j9cv

Permissions Required https://redmine.openinfosecfoundation.org/issues/7615

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal