Vulnerability Description
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oisf | Suricata | < 7.0.9 |
Related Weaknesses (CWE)
References
- https://github.com/OISF/suricata/commit/d78f2c9a4e2b59f44daeddff098915084493d08dPatch
- https://github.com/OISF/suricata/security/advisories/GHSA-7m5c-cqx4-x8mpIssue TrackingVendor Advisory
- https://redmine.openinfosecfoundation.org/issues/5373Issue Tracking
FAQ
What is CVE-2025-29915?
CVE-2025-29915 is a vulnerability with a CVSS score of 7.5 (HIGH). Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assem...
How severe is CVE-2025-29915?
CVE-2025-29915 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-29915?
Check the references section above for vendor advisories and patch information. Affected products include: Oisf Suricata.