CVE-2025-64330 – A heap overflow vulnerability in Suricata's log... (How to Fix)

Q: What is the severity of CVE-2025-64330?

CVE-2025-64330 has a CVSS score of 7.5 (HIGH). A heap overflow vulnerability in Suricata's logging functionality can cause crashes when specific alert queue conditions are met. This affects Suricata versions before 7.0.13 and 8.0.2 when verdict logging is enabled. Organizations using vulnerable Suricata deployments for network monitoring are affected.

📋 TL;DR

A heap overflow vulnerability in Suricata's logging functionality can cause crashes when specific alert queue conditions are met. This affects Suricata versions before 7.0.13 and 8.0.2 when verdict logging is enabled. Organizations using vulnerable Suricata deployments for network monitoring are affected.

💻 Affected Systems

Products:

Suricata

Versions: All versions before 7.0.13 and 8.0.2

Operating Systems: All platforms running Suricata

Default Config Vulnerable: ✅ No

Notes: Requires verdict logging enabled in eve.alert and eve.drop records with specific alert queue conditions.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing Suricata to crash, potentially disrupting network monitoring and intrusion detection capabilities.

🟠

Likely Case

Service disruption and crashes of Suricata processes, leading to gaps in network security monitoring.

🟢

If Mitigated

Minimal impact with proper queue size configuration and monitoring in place.

🌐 Internet-Facing: MEDIUM - Suricata often monitors internet-facing traffic, but exploitation requires specific alert queue conditions.

🏢 Internal Only: MEDIUM - Internal network monitoring could be disrupted, affecting security visibility.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires filling the per packet alert queue with alerts followed by a pass rule, which requires specific network conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.13 and 8.0.2

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.13 or 8.0.2 from official sources. 2. Stop Suricata service. 3. Install updated version. 4. Restart Suricata service.

🔧 Temporary Workarounds

Increase alert queue size

all

Increase packet-alert-max value in suricata.yaml to reduce likelihood of exploitation

Edit suricata.yaml and increase 'packet-alert-max' value

Disable verdict logging

all

Disable verdict logging in eve.alert and eve.drop records if not required

Set 'eve-log.alert.verdict' and 'eve-log.drop.verdict' to false in suricata.yaml

🧯 If You Can't Patch

Increase packet-alert-max value significantly in suricata.yaml configuration
Disable verdict logging in eve.alert and eve.drop records

🔍 How to Verify

Check if Vulnerable:

Check Suricata version and configuration for verdict logging enabled with vulnerable versions

Check Version:

suricata --build-info | grep Version

Verify Fix Applied:

Verify Suricata version is 7.0.13 or higher (7.x) or 8.0.2 or higher (8.x)

📡 Detection & Monitoring

Log Indicators:

Suricata crash logs
Segmentation fault errors in system logs
Unexpected Suricata process termination

Network Indicators:

Sudden drop in Suricata alert volume
Missing network monitoring data

SIEM Query:

source="suricata" AND ("segmentation fault" OR "crash" OR "terminated unexpectedly")

📊 Metadata

CVE ID: CVE-2025-64330

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-122

EPSS Score: 0.08% exploit probability (23.6th percentile)

Published: November 26, 2025

Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64330, you might also want to check these: