CVE-2025-29915: Suricata af-packet: defrag option can lead to truncated packets affecting visibility

7.5 CVSS

Description

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.

Classification

CVE ID: CVE-2025-29915

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem Types

CWE-347: Improper Verification of Cryptographic Signature

Affected Products

Vendor: OISF

Product: suricata

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.86% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-29915
https://github.com/OISF/suricata/security/advisories/GHSA-7m5c-cqx4-x8mp
https://github.com/OISF/suricata/commit/d78f2c9a4e2b59f44daeddff098915084493d08d
https://redmine.openinfosecfoundation.org/issues/5373

Timeline

2025-04-10 20:40:23 UTC
CVE

Suricata af-packet: defrag option can lead to truncated packets affecting visibility