CVE-2025-29915

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/OISF/suricata/commit/d78f2c9a4e2b59f44daeddff098915084493d08d
https://github.com/OISF/suricata/security/advisories/GHSA-7m5c-cqx4-x8mp
https://redmine.openinfosecfoundation.org/issues/5373

Configurations

No configuration.

History

11 Apr 2025, 15:39

Type	Values Removed	Values Added
Summary		(es) Suricata es un sistema de detección de intrusiones de red, un sistema de prevención de intrusiones y un motor de monitoreo de seguridad de red. La opción de desfragmentación AF_PACKET está habilitada de forma predeterminada y permite que AF_PACKET vuelva a ensamblar los paquetes fragmentados antes de llegar a Suricata. Sin embargo, el tamaño de paquete predeterminado en Suricata se basa en la MTU de la interfaz de red, lo que provoca que Suricata vea paquetes truncados. Actualice a Suricata 7.0.9, que utiliza mejores valores predeterminados y agrega advertencias para las configuraciones de usuario que pueden generar problemas.

10 Apr 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-10 20:15

Updated : 2025-04-11 15:39

NVD link : CVE-2025-29915

Mitre link : CVE-2025-29915

CVE.ORG link : CVE-2025-29915

JSON object : View

Products Affected

No product.

CWE

CWE-347

Improper Verification of Cryptographic Signature

7.5 /10