Unrated severityNVD Advisory· Published Jul 11, 2024· Updated Nov 3, 2025

Suricata defrag: IP ID reuse can lead to policy bypass

CVE-2024-37151

Description

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable defrag to reduce the scope of the problem.

Affected products

Oisf/Suricatav5
Range: >= 6.0.0, < 6.0.20

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/OISF/suricata/commit/9d5c4273cb7e5ca65f195f7361f0d848c85180e0mitrex_refsource_MISC
github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6bmitrex_refsource_MISC
github.com/OISF/suricata/security/advisories/GHSA-qrp7-g66m-px24mitrex_refsource_CONFIRM
redmine.openinfosecfoundation.org/issues/7041mitrex_refsource_MISC
redmine.openinfosecfoundation.org/issues/7042mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000