CVE-2025-64344 is a stack-based buffer overflow vulnerability identified in the Suricata network IDS/IPS/NSM engine developed by the Open Information Security Foundation (OISF). The vulnerability affects Suricata versions prior to 7.0.13 and 8.0.2 and is triggered when Lua scripts handle large buffers, such as those passed by rules or output scripts. Specifically, when Lua rules or output scripts process buffers exceeding certain sizes, the stack can overflow, causing the Suricata process to crash. This vulnerability is categorized under CWE-121 (Stack-based Buffer Overflow). The flaw does not affect confidentiality or integrity directly but impacts availability by causing denial of service through application crashes. The vulnerability can be exploited remotely without authentication or user interaction by sending specially crafted network traffic that triggers Lua scripts to process large buffers. Mitigation has been implemented in Suricata versions 7.0.13 and 8.0.2. Workarounds include disabling Lua scripting features or configuring limits such as stream.depth.reassembly and HTTP response body limits (response-body-limit) to values less than half the stack size to prevent buffer overflow conditions. No known exploits are currently reported in the wild, but the vulnerability presents a significant risk to systems relying on Lua scripting within Suricata for network security monitoring and intrusion prevention.

The primary impact of CVE-2025-64344 is on the availability of Suricata-based network security systems. Successful exploitation leads to a stack overflow causing Suricata to crash, resulting in denial of service. For European organizations, especially those in critical infrastructure, telecommunications, finance, and government sectors that depend on Suricata for real-time intrusion detection and prevention, this could mean temporary loss of network monitoring capabilities and increased exposure to other cyber threats. The lack of confidentiality or integrity impact limits the scope to availability, but the disruption of security monitoring can indirectly increase risk exposure. Additionally, the ease of remote exploitation without authentication raises the urgency for patching. Organizations using Lua scripting extensively in Suricata are at higher risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks. The impact is heightened in environments with high network traffic volumes where large buffers are common, increasing the likelihood of triggering the overflow.

1. Upgrade Suricata installations to version 7.0.13 or 8.0.2 or later, where the vulnerability is patched. 2. If immediate upgrade is not feasible, disable Lua rules and output scripts to eliminate the attack surface related to Lua buffer handling. 3. Configure Suricata settings to limit buffer sizes by setting stream.depth.reassembly and HTTP response body limits (response-body-limit) to values less than half the stack size to prevent buffer overflow conditions. 4. Monitor Suricata logs and system stability for crashes or unusual behavior that may indicate attempted exploitation. 5. Implement network segmentation and filtering to reduce exposure of Suricata sensors to untrusted or high-risk network segments. 6. Regularly review and audit Lua scripts used in Suricata rules to ensure they do not process unnecessarily large buffers. 7. Maintain an incident response plan that includes rapid patch deployment and system recovery procedures to minimize downtime in case of exploitation. 8. Engage with OISF community updates and security advisories for any emerging threats or additional patches.