CVE-2025-59148

NameCVE-2025-59148
DescriptionSuricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. This issue is fixed in version 8.0.1. To workaround this issue, users can disable rules using the entropy keyword, or validate they are anchored to a sticky buffer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
suricata (PTS)bullseye1:6.0.1-3fixed
bullseye (security)1:6.0.1-3+deb11u1fixed
bookworm1:6.0.10-1fixed
trixie1:7.0.10-1fixed
forky, sid1:8.0.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
suricatasource(unstable)(not affected)

Notes

- suricata <not-affected> (Vulnerable code never present in a Debian released version, 8.0.x only issue)
https://github.com/OISF/suricata/security/advisories/GHSA-5qf6-92xg-3rr3
https://github.com/OISF/suricata/commit/9f32550e18f97ea5d610dd7c36aab0ba142c096c (suricata-8.0.1)
https://forum.suricata.io/t/suricata-8-0-1-and-7-0-12-released/6018
https://redmine.openinfosecfoundation.org/issues/7838
Search for package or bug name: Reporting problems