CVE-2025-59150 – A NULL pointer dereference vulnerability in Sur... (How to Fix)

Q: What is the severity of CVE-2025-59150?

CVE-2025-59150 has a CVSS score of 7.5 (HIGH). A NULL pointer dereference vulnerability in Suricata's TLS subject alternative name parsing causes segmentation faults when processing malicious TLS certificates containing NULL bytes in subjectaltname fields. This affects all systems running Suricata 8.0.0 for network monitoring, potentially causing denial of service. The vulnerability is triggered when Suricata processes TLS traffic with specially crafted certificates.

📋 TL;DR

A NULL pointer dereference vulnerability in Suricata's TLS subject alternative name parsing causes segmentation faults when processing malicious TLS certificates containing NULL bytes in subjectaltname fields. This affects all systems running Suricata 8.0.0 for network monitoring, potentially causing denial of service. The vulnerability is triggered when Suricata processes TLS traffic with specially crafted certificates.

💻 Affected Systems

Products:

Suricata

Versions: Version 8.0.0 only

Operating Systems: All platforms running Suricata

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using rules with tls.subjectaltname keyword. Default rulesets may include such rules.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Suricata service crash leading to loss of network monitoring, intrusion detection, and prevention capabilities, potentially allowing undetected attacks to pass through.

🟠

Likely Case

Suricata process crashes when encountering malicious TLS certificates, causing temporary loss of monitoring until service restart.

🟢

If Mitigated

With proper segmentation and redundant monitoring, impact is limited to single sensor failure with minimal network disruption.

🌐 Internet-Facing: HIGH - Suricata often monitors internet-facing traffic where attackers can easily send malicious TLS packets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could trigger the vulnerability, but requires network access to Suricata sensors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted TLS certificates to trigger the NULL pointer dereference. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.1

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-mhv7-qfmj-m3f3

Restart Required: Yes

Instructions:

1. Download Suricata 8.0.1 from official sources. 2. Stop Suricata service. 3. Install new version following platform-specific instructions. 4. Restart Suricata service. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable tls.subjectaltname rules

all

Remove or disable all rules using the tls.subjectaltname keyword to prevent triggering the vulnerability

suricata -T --disable-rules tls.subjectaltname
Edit rules files to comment out or remove rules with tls.subjectaltname keyword

🧯 If You Can't Patch

Implement network segmentation to limit TLS traffic to Suricata sensors
Deploy redundant Suricata instances with automatic failover to maintain monitoring during crashes

🔍 How to Verify

Check if Vulnerable:

Check Suricata version: suricata -V | grep 'version' and verify if it's 8.0.0. Also check if any active rules use tls.subjectaltname keyword.

Check Version:

suricata -V | grep 'version'

Verify Fix Applied:

Verify version is 8.0.1 or higher: suricata -V | grep 'version'. Test with sample TLS traffic containing subjectaltname fields.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in Suricata logs
Process crashes with core dumps
Unexpected Suricata service restarts

Network Indicators:

Unusual TLS certificates with NULL bytes in subjectaltname fields
Multiple connection attempts with malformed TLS handshakes

SIEM Query:

source="suricata.log" AND ("segmentation fault" OR "core dumped" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2025-59150

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.11% exploit probability (30.1th percentile)

Published: October 1, 2025

Last Updated: October 23, 2025

🔗 References

https://forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018 Release Notes
https://github.com/OISF/suricata/commit/d590fdfe42e995fd558315f0c24f9a352e21479d Patch
https://github.com/OISF/suricata/security/advisories/GHSA-mhv7-qfmj-m3f3 Patch,Third Party Advisory
https://redmine.openinfosecfoundation.org/issues/7881 Exploit,Issue Tracking,Vendor Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-59150-suricata-detection-script
https://www.vicarius.io/vsociety/posts/cve-2025-59150-suricata-mitigation-script

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59150, you might also want to check these: