CVE-2025-64335 is a NULL pointer dereference vulnerability classified under CWE-476 affecting the Suricata network IDS/IPS/NSM engine developed by the Open Information Security Foundation (OISF). The issue exists in Suricata versions from 8.0.0 up to but not including 8.0.2. It occurs specifically when the entropy keyword is used in conjunction with base64_data within detection rules. This combination leads to a NULL pointer dereference, causing the Suricata process to crash and resulting in a denial of service (DoS). The vulnerability can be triggered remotely by sending crafted network traffic that matches the problematic rule conditions, requiring no authentication or user interaction. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation (network vector, low complexity, no privileges or user interaction required) and the impact on availability. While no known exploits are currently observed in the wild, the flaw poses a significant risk to organizations relying on Suricata for real-time network security monitoring. The issue has been addressed in Suricata version 8.0.2. Until patching is possible, disabling rules that use entropy with base64_data is a recommended workaround to prevent crashes.

The primary impact of CVE-2025-64335 is a denial of service condition caused by Suricata crashing upon processing certain network traffic. For European organizations, this can lead to temporary loss of network intrusion detection and prevention capabilities, increasing the risk of undetected malicious activity and potential breaches. Critical infrastructure operators, financial institutions, and large enterprises that depend on Suricata for network security monitoring may experience service interruptions, potentially affecting incident response and compliance with regulatory requirements such as NIS2. The disruption could also degrade trust in security operations centers (SOCs) and delay threat detection. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact is significant in environments where continuous monitoring is essential. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

Organizations should promptly upgrade Suricata to version 8.0.2 or later, where the vulnerability is fully patched. Until an upgrade is feasible, administrators should identify and disable any detection rules that use the entropy keyword in conjunction with base64_data to prevent triggering the NULL pointer dereference. Regularly review and audit Suricata rulesets to ensure no deprecated or vulnerable rules remain active. Implement network segmentation and traffic filtering to limit exposure to potentially malicious traffic that could exploit this vulnerability. Monitoring Suricata logs for unexpected crashes or restarts can help detect attempted exploitation. Additionally, maintain up-to-date backups of Suricata configurations and rules to facilitate rapid recovery. Coordination with security vendors and participation in threat intelligence sharing can provide early warnings if exploits emerge. Finally, ensure that incident response plans account for potential IDS/IPS outages to maintain overall security posture.