Login Sign Up

CVE-2025-29915

7.5 HIGH

📋 TL;DR

Suricata's default AF_PACKET defrag configuration causes packet truncation when reassembling fragmented packets, leading to incomplete network traffic analysis. This affects all Suricata deployments using default settings, potentially allowing malicious traffic to evade detection.

💻 Affected Systems

Products:
  • Suricata
Versions: All versions before 7.0.9
Operating Systems: All platforms running Suricata
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using AF_PACKET interface (default on Linux). Other capture methods like PF_RING or NFQUEUE are not affected.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass Suricata's intrusion detection/prevention entirely by fragmenting malicious packets, enabling undetected network attacks, data exfiltration, or lateral movement.

🟠

Likely Case

Suricata fails to detect or prevent attacks that use packet fragmentation, reducing security monitoring effectiveness and allowing some malicious traffic through.

🟢

If Mitigated

With proper configuration or patching, Suricata correctly handles fragmented packets, maintaining full network security monitoring capabilities.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending fragmented packets to the monitored network, which is trivial for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.9

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-7m5c-cqx4-x8mp

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.9 from official sources. 2. Stop Suricata service. 3. Install/upgrade to 7.0.9. 4. Restart Suricata service. 5. Verify new version is running.

🔧 Temporary Workarounds

Disable AF_PACKET defrag

linux

Disable packet defragmentation in AF_PACKET configuration to prevent truncation issues

Edit suricata.yaml: set 'af-packet:
  - defrag: false'

Increase packet buffer size

linux

Manually configure larger packet buffer size to accommodate reassembled packets

Edit suricata.yaml: set 'max-pending-packets: 10000' and adjust 'af-packet:
  - buffer-size' appropriately

🧯 If You Can't Patch

  • Disable AF_PACKET defragmentation in configuration
  • Use alternative capture methods like PF_RING or NFQUEUE instead of AF_PACKET

🔍 How to Verify

Check if Vulnerable:

Check Suricata version and configuration: 'suricata --build-info' and verify if using AF_PACKET with default settings

Check Version:

suricata --build-info | grep Version

Verify Fix Applied:

Confirm version is 7.0.9 or later: 'suricata --build-info | grep Version' and test with fragmented packet capture

📡 Detection & Monitoring

Log Indicators:

  • Suricata logs showing packet truncation warnings
  • Missing expected alerts for known attack patterns

Network Indicators:

  • Unusual increase in fragmented packets
  • Traffic patterns that should trigger alerts but don't

SIEM Query:

source="suricata" ("truncated" OR "fragment" OR "defrag") AND severity>=WARNING

📊 Metadata

CVE ID: CVE-2025-29915
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-347
EPSS Score: 0.14% exploit probability (34.3th percentile)
Published: April 10, 2025
Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29915, you might also want to check these:

CVE-2022-24884 10.0

This vulnerability in ecdsautils allows attackers to forge ECDSA signatures by providing zero-value ...

Same vulnerability type (CWE-347)
CVE-2023-25574 10.0

CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LT...

Same vulnerability type (CWE-347)
CVE-2024-45409 10.0

CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML...

Same vulnerability type (CWE-347)