CVE-2025-59150: 
Suricata vulnerability analysis and mitigation

Suricata version 8.0.0 contains a vulnerability in the tls.subjectaltname keyword functionality that can lead to a segmentation fault when processing TLS traffic. The vulnerability (CVE-2025-59150) was discovered in September 2025 and affects the network IDS, IPS and NSM engine developed by the Open Information Security Foundation (OISF). The issue was fixed in version 8.0.1 (Suricata Forum, Ubuntu Security).

The vulnerability is caused by a NULL pointer dereference that occurs when the decoded subjectaltname contains a NULL byte. Specifically, in the TlsSubjectAltNameGetData function, the code attempts to calculate the length of a string that may contain NULL bytes, leading to incorrect length calculation and potential segmentation fault. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can result in a denial of service condition through application crashes when processing TLS traffic containing specifically crafted subject alternative names. The issue affects the availability of the Suricata detection system but does not impact confidentiality or integrity (GitHub Advisory).

The primary mitigation is to upgrade to Suricata version 8.0.1 which contains the fix for this vulnerability. As a temporary workaround, users can disable rules using the tls.subjectaltname keyword. The fix has been implemented through a patch that properly handles NULL bytes in subject alternative names (GitHub Commit).