CVE-2025-64332 – A stack overflow vulnerability in Suricata's SW... (How to Fix)

Q: What is the severity of CVE-2025-64332?

CVE-2025-64332 has a CVSS score of 7.5 (HIGH). A stack overflow vulnerability in Suricata's SWF decompression feature can cause the IDS/IPS engine to crash when processing malicious SWF files. This affects Suricata installations with SWF decompression enabled, potentially disrupting network security monitoring. The vulnerability is present in versions before 7.0.13 and 8.0.2.

📋 TL;DR

A stack overflow vulnerability in Suricata's SWF decompression feature can cause the IDS/IPS engine to crash when processing malicious SWF files. This affects Suricata installations with SWF decompression enabled, potentially disrupting network security monitoring. The vulnerability is present in versions before 7.0.13 and 8.0.2.

💻 Affected Systems

Products:

Suricata IDS/IPS/NSM Engine

Versions: All versions before 7.0.13 and 8.0.2

Operating Systems: All platforms running Suricata

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if SWF decompression is explicitly enabled in suricata.yaml configuration.

📦 What is this software?

Suricata by Oisf

View all CVEs affecting Suricata →

Suricata by Oisf

View all CVEs affecting Suricata →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service of Suricata, leaving network traffic unmonitored and unprotected from other threats while the service is down.

🟠

Likely Case

Suricata crashes when processing specially crafted SWF files, requiring manual restart and causing temporary security monitoring gaps.

🟢

If Mitigated

No impact if SWF decompression is disabled or patched versions are deployed.

🌐 Internet-Facing: MEDIUM - Attackers could send malicious SWF files to trigger crashes, but requires SWF decompression to be enabled.

🏢 Internal Only: LOW - Internal threats would need to craft and send SWF files to Suricata-monitored traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious SWF files through monitored network traffic with SWF decompression enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.13 or 8.0.2

Vendor Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-p32q-7wcp-gv92

Restart Required: Yes

Instructions:

1. Download Suricata 7.0.13 or 8.0.2 from official sources. 2. Stop Suricata service. 3. Install/upgrade to patched version. 4. Restart Suricata service.

🔧 Temporary Workarounds

Disable SWF decompression

all

Disable the vulnerable SWF decompression feature in Suricata configuration

Edit suricata.yaml and set: swf-decompression: no
Or set decompress-depth: 0

🧯 If You Can't Patch

Disable SWF decompression in suricata.yaml configuration
Implement network filtering to block SWF files at perimeter if SWF decompression must remain enabled

🔍 How to Verify

Check if Vulnerable:

Check Suricata version with 'suricata --build-info' and verify if SWF decompression is enabled in suricata.yaml

Check Version:

suricata --build-info | grep Version

Verify Fix Applied:

Confirm version is 7.0.13 or higher for 7.x branch, or 8.0.2 or higher for 8.x branch

📡 Detection & Monitoring

Log Indicators:

Suricata crash logs
Segmentation fault errors in system logs
Service restart messages

Network Indicators:

Sudden drop in Suricata alerts
SWF files with unusual characteristics

SIEM Query:

source="suricata" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2025-64332

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.08% exploit probability (23.6th percentile)

Published: November 26, 2025

Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64332, you might also want to check these: