HIGHCVE-2026-31931CVSS 7.5

CVE-2026-31931: NULL Pointer Dereference in Suricata

Q: What is CVE-2026-31931 — NULL Pointer Dereference in Suricata?

CVE-2026-31931 is a HIGH severity vulnerability in Suricata versions 8.0.0-8.0.3 where the 'tls.alpn' rule keyword can cause a NULL pointer dereference, leading to a crash.

Q: Am I affected by CVE-2026-31931 in Suricata?

You are affected if you are running Suricata versions 8.0.0 through 8.0.3. Upgrade to 8.0.4 to mitigate the risk.

Q: How do I fix CVE-2026-31931 in Suricata?

Upgrade Suricata to version 8.0.4 or later. As a temporary workaround, disable the 'tls.alpn' rule keyword in your configuration.

Q: Is CVE-2026-31931 being actively exploited?

There is no confirmed active exploitation of CVE-2026-31931 at this time, but it is important to apply the patch proactively.

Q: Where can I find the official Suricata advisory for CVE-2026-31931?

Refer to the official Suricata security advisory for CVE-2026-31931 on the Suricata website or security mailing lists.

Platform

other

Component

suricata

Fixed in

8.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-31931 describes a NULL pointer dereference vulnerability in Suricata, a network IDS, IPS, and NSM engine. This flaw allows an attacker to crash the Suricata process by exploiting the 'tls.alpn' rule keyword. The vulnerability impacts Suricata versions 8.0.0 through 8.0.3, and a patch is available in version 8.0.4.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-31931 can lead to a denial-of-service (DoS) condition, effectively disrupting network monitoring and security operations. An attacker could craft malicious network traffic containing specific TLS ALPN configurations to trigger the crash. This could impact the availability of critical security functions, potentially allowing malicious activity to go undetected. The blast radius extends to any system relying on Suricata for network intrusion detection and prevention.

Exploitation Context

This vulnerability was publicly disclosed on 2026-04-02. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently unknown. It is not listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.06% (19% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentsuricata

VendorOISF

Affected rangeFixed in

>= 8.0.0, < 8.0.4 – >= 8.0.0, < 8.0.48.0.1

Weakness Classification (CWE)

CWE-476

Timeline

Reserved2026-03-10
Published2026-04-02
EPSS updated2026-04-10

Mitigation and Workarounds

The primary mitigation for CVE-2026-31931 is to upgrade Suricata to version 8.0.4 or later. If immediate upgrading is not feasible, consider temporarily disabling the 'tls.alpn' rule keyword within your Suricata configuration. While this reduces the engine's ability to inspect TLS ALPN extensions, it prevents the crash. Monitor Suricata logs for unexpected crashes or errors, which could indicate exploitation attempts. After upgrading, confirm the fix by testing the Suricata configuration with traffic containing TLS ALPN extensions to ensure stability.

How to fix

Update Suricata to version 8.0.4 or later. This version fixes the NULL pointer dereference vulnerability in the 'tls.alpn' rule keyword.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-31931 — NULL Pointer Dereference in Suricata?

CVE-2026-31931 is a HIGH severity vulnerability in Suricata versions 8.0.0-8.0.3 where the 'tls.alpn' rule keyword can cause a NULL pointer dereference, leading to a crash.

Am I affected by CVE-2026-31931 in Suricata?

You are affected if you are running Suricata versions 8.0.0 through 8.0.3. Upgrade to 8.0.4 to mitigate the risk.

How do I fix CVE-2026-31931 in Suricata?

Upgrade Suricata to version 8.0.4 or later. As a temporary workaround, disable the 'tls.alpn' rule keyword in your configuration.

Is CVE-2026-31931 being actively exploited?

There is no confirmed active exploitation of CVE-2026-31931 at this time, but it is important to apply the patch proactively.

Where can I find the official Suricata advisory for CVE-2026-31931?

Refer to the official Suricata security advisory for CVE-2026-31931 on the Suricata website or security mailing lists.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: High — complete crash or resource exhaustion. Full denial of service.