{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64330", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-30T17:40:52.029Z", "datePublished": "2025-11-26T23:03:40.376Z", "dateUpdated": "2025-11-28T15:36:34.984Z"}, "containers": {"cna": {"title": "Suricata is vulnerable to a heap buffer overflow on verdict", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437"}, {"name": "https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947", "tags": ["x_refsource_MISC"], "url": "https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947"}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"version": "< 7.0.13", "status": "affected"}, {"version": "< 8.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-26T23:03:40.376Z"}, "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled."}], "source": {"advisory": "GHSA-83v7-gm34-f437", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T15:36:02.909817Z", "id": "CVE-2025-64330", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T15:36:34.984Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64330", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T15:36:02.909817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T15:36:21.369Z"}}], "cna": {"title": "Suricata is vulnerable to a heap buffer overflow on verdict", "source": {"advisory": "GHSA-83v7-gm34-f437", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OISF", "product": "suricata", "versions": [{"status": "affected", "version": "< 7.0.13"}, {"status": "affected", "version": "< 8.0.2"}]}], "references": [{"url": "https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437", "name": "https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947", "name": "https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-26T23:03:40.376Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64330", "state": "PUBLISHED", "dateUpdated": "2025-11-28T15:36:34.984Z", "dateReserved": "2025-10-30T17:40:52.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-26T23:03:40.376Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA4D86E3-44A3-4B0B-9CF4-9FC88091D3C1", "versionEndExcluding": "7.0.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:oisf:suricata:*:*:*:*:*:*:*:*", "matchCriteriaId": "C93A731C-19AD-4067-B28C-17164C2D981D", "versionEndExcluding": "8.0.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled."}], "id": "CVE-2025-64330", "lastModified": "2025-12-05T13:30:59.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-11-26T23:15:48.093", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Suricata: Suricata: Single byte read heap overflow leads to denial of service", "id": "2417413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417413"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-122", "details": ["A flaw was found in Suricata. This vulnerability allows a denial of service (DoS) via a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records, requiring the per packet alert queue to be filled with alerts followed by a pass rule."], "name": "CVE-2025-64330", "public_date": "2025-11-26T23:03:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-64330\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-64330\nhttps://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947\nhttps://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437"], "statement": "The highest threat of this flaw is to system availability. This issue only affects Suricata instances where the per packet alert queue is filled with alerts and then followed by a pass rule, leading to a denial of service.", "threat_severity": "Important"}