Unrated severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026

Suricata http1: infinite recursion in decompression

CVE-2026-22260

Description

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for request-body-limit and response-body-limit.

Affected products

Oisf/SuricataOSV
Range: suricata-8.0.0, suricata-8.0.1, suricata-8.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185mitrex_refsource_MISC
github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5x22mitrex_refsource_CONFIRM
redmine.openinfosecfoundation.org/issues/8185mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000