2382725 – (CVE-2025-53538) CVE-2025-53538 suricata: Suricata resource starvation

Bug 2382725 (CVE-2025-53538) - CVE-2025-53538 suricata: Suricata resource starvation

Summary: CVE-2025-53538 suricata: Suricata resource starvation

Keywords:
Status:	NEW
Alias:	CVE-2025-53538
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2382738 2382739 2382740 2382741
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-22 22:01 UTC by OSIDB Bzimport
Modified:	2025-07-22 22:49 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-22 22:01:38 UTC

Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and  8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

Note You need to log in before you can comment on or make changes to this bug.