CVE-2026-22263 MEDIUM

CVE-2026-22263: Suricata http1: quadratic complexity in headers parsing over multiple packets

Vendor Oisf
Product suricata
Weakness CWE-1050
Published January 27, 2026
Last update January 27, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available.

Key dates

02Disclosure timeline

January 27, 2026 CVE published
January 27, 2026 Record updated