CVE-2025-59148: 
Suricata vulnerability analysis and mitigation

Suricata versions 8.0.0 and below contain a vulnerability (CVE-2025-59148) related to incorrect handling of the entropy keyword when not anchored to a "sticky" buffer. The vulnerability was discovered in September 2025 and affects the network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. A fix was released in version 8.0.1 (Ubuntu Security, Suricata Forum).

The vulnerability stems from improper use of the entropy keyword when not anchored to a "sticky" buffer, which can lead to a NULL pointer dereference and subsequent segmentation fault. The issue occurs in the DetectEntropyDoMatch function where the packet pointer becomes null during execution. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and high impact on availability (GitHub Advisory).

When exploited, this vulnerability can cause a segmentation fault in Suricata, leading to a denial of service condition. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (GitHub Advisory).

Users are advised to update to Suricata version 8.0.1 which contains the fix for this vulnerability. As a workaround, users can either disable rules using the entropy keyword or validate that they are anchored to a sticky buffer (GitHub Advisory).

The vulnerability was addressed promptly by the Suricata team and included in their security release announcement. The OISF (Open Information Security Foundation) has coordinated the disclosure and patching process, with multiple security advisories being published (Suricata Forum).