{"api_version":"1","generated_at":"2026-04-22T21:39:40+00:00","cve":"CVE-2026-31935","urls":{"html":"https://cve.report/CVE-2026-31935","api":"https://cve.report/api/cve/CVE-2026-31935.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31935","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31935"},"summary":{"title":"Suricata http2: unbounded resource consumption","description":"Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-02 15:16:37","updated_at":"2026-04-07 21:20:24"},"problem_types":["CWE-400","CWE-770","CWE-400 CWE-400: Uncontrolled Resource Consumption","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x","name":"https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://redmine.openinfosecfoundation.org/issues/8289","name":"https://redmine.openinfosecfoundation.org/issues/8289","refsource":"security-advisories@github.com","tags":["Issue Tracking","Permissions Required"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31935","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31935","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OISF","product":"suricata","version":"affected < 7.0.15","platforms":[]},{"source":"CNA","vendor":"OISF","product":"suricata","version":"affected >= 8.0.0, < 8.0.4","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"31935","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oisf","cpe5":"suricata","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"31935","cve":"CVE-2026-31935","epss":"0.000400000","percentile":"0.120670000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-31935","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-02T18:42:22.298340Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-02T18:42:31.423Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"suricata","vendor":"OISF","versions":[{"status":"affected","version":"< 7.0.15"},{"status":"affected","version":">= 8.0.0, < 8.0.4"}]}],"descriptions":[{"lang":"en","value":"Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"CWE-400: Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-770","description":"CWE-770: Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T14:36:44.186Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x","tags":["x_refsource_CONFIRM"],"url":"https://github.com/OISF/suricata/security/advisories/GHSA-vxrp-5pg7-7v4x"},{"name":"https://redmine.openinfosecfoundation.org/issues/8289","tags":["x_refsource_MISC"],"url":"https://redmine.openinfosecfoundation.org/issues/8289"}],"source":{"advisory":"GHSA-vxrp-5pg7-7v4x","discovery":"UNKNOWN"},"title":"Suricata http2: unbounded resource consumption"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-31935","datePublished":"2026-04-02T14:36:44.186Z","dateReserved":"2026-03-10T15:10:10.654Z","dateUpdated":"2026-04-02T18:42:31.423Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-02 15:16:37","lastModifiedDate":"2026-04-07 21:20:24","problem_types":["CWE-400","CWE-770","CWE-400 CWE-400: Uncontrolled Resource Consumption","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.15","matchCriteriaId":"1E0D4CF4-11E0-4FB1-9C17-F38257D376ED"},{"vulnerable":true,"criteria":"cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.4","matchCriteriaId":"F35C5A48-CA30-43B3-9E53-D3E51C862604"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31935","Ordinal":"1","Title":"Suricata http2: unbounded resource consumption","CVE":"CVE-2026-31935","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31935","Ordinal":"1","NoteData":"Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in versions 7.0.15 and 8.0.4.","Type":"Description","Title":"Suricata http2: unbounded resource consumption"}]}}}