Splunk Enterprise — Third-Party Package Updates (SVD-2026-0211)
CVE Summary
| CVE Name | Severity | CVSS v3 Score | Exploitability / PoC Status | Impact |
|---|---|---|---|---|
| CVE-2025-23166 | High | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | No public exploit script; remote crash possible | Denial of Service |
| CVE-2025-27210 | High | 7.5 | Public proof-of-concept described | Path traversal / file access bypass |
| CVE-2025-53643 | High | Depends on configuration | Technical exploit details available | HTTP request parsing misuse |
| CVE-2025-9230 | Moderate | Moderate | No known PoC in the wild | Memory corruption / crash potential |
| Assorted Go library CVEs | Medium-High | Varies | No central PoC; environment-specific | Logic/behavior fixes |
Official Splunk Patch / Upgrade Link (apply immediately):
➡️ https://advisory.splunk.com/advisories/SVD-2026-0211
Overview — What This Advisory Means
Splunk Enterprise includes several external software packages inside its codebase. These packages — such as Node.js, the Python web library aiohttp, OpenSSL, and parts of the Go runtime — were found to contain security flaws. Some of these flaws allow an attacker to crash processes, bypass path protections, or manipulate the way web requests are handled.
Splunk’s official update addressed these issues by updating these third-party components to secure versions. If your deployment is running an affected version of Splunk Enterprise, you should upgrade to the fixed versions listed on the official patch page immediately.
This write-up explains how these issues work, how they could be detected, and how to respond. It is intended for defenders and operations teams.
How Each Issue Could Be Exploited
Denial-of-Service via Node.js (CVE-2025-23166)
The Node.js runtime used in some Splunk applications had a flaw in how it handled particular asynchronous cryptographic operations. An attacker sending certain input can trigger an unhandled exception in the background thread. Instead of recovering, the Node process may crash entirely.
This does not provide code execution, but it does allow an attacker to repeatedly crash services that rely on Node if they can reach them over the network. In practice, this shows up as repeated process restarts and service unavailability.
Path Traversal / Windows Reserved Name Bypass (CVE-2025-27210)
On Windows systems, the way file paths were combined could be tricked by using reserved device names such as CON, PRN, or AUX. When a path containing one of these names is processed, the library erroneously bypasses normal protections. This can allow an attacker to read or write files outside the intended directory.
This issue requires a remote attacker to send specially crafted requests that include these reserved names in URL paths or API endpoints that accept file names.
HTTP Request Handling Flaw (CVE-2025-53643)
A vulnerability in the aiohttp library affected how trailer headers and certain combinations of request headers were processed. Specifically, under certain conditions the library could misinterpret parts of the HTTP protocol, making it possible for crafted HTTP requests to be replayed or to get past a proxy’s normal filtering.
This class of behavior has been used in other contexts for “request smuggling,” where the attacker shapes requests to bypass filters or reach back-end services that otherwise would be protected.
OpenSSL CMS Processing Issue (CVE-2025-9230)
The OpenSSL library included in Splunk Enterprise had a weakness in the way it processed CMS (Cryptographic Message Syntax) password-based decryption. A malformed CMS encrypted message could cause an out-of-bounds memory access, potentially crashing the process that attempted to parse it.
This only matters for services that actually perform CMS decryption on attacker-controlled data. Not all deployments use this feature.
Other Go Library Fixes
Splunk updated the embedded Go runtime and libraries to address a set of vulnerabilities that impact how file paths, concurrency, and standard library functions operate. These issues don’t always have a single CVE number, but they can cause logic bugs or security edge-cases that attackers can leverage in specific scenarios.
Exploitability and Proof-of-Concept Status
For defensive purposes, security researchers have documented proof-of-concept details for some of these flaws:
- The path traversal issue on Windows has been demonstrated with crafted URIs using reserved names.
- The request handling flaw in aiohttp is well-described in academic or research write-ups demonstrating how misaligned headers can be abused.
- The Node.js denial-of-service issue does not give an attacker shell access, but can be triggered remotely by malformed crypto input.
- The OpenSSL CMS problem appears only in specialized decryption contexts.
Even if exploit code is not publicly available for a given issue, attackers can often research the conditions and create their own test cases. This means detection and monitoring are critical.
Symptoms of Exploitation Attempts
Be alert for the following operational signs:
Service Crashes and Restarts
- Node processes frequently terminate with unhandled exceptions.
- Services restart without configuration changes.
- Core files or crash dumps are generated.
Unusual File Path Access
- Requests showing paths that include reserved Windows device names like
CON,PRN,AUX, or similar. - File access errors or logs indicating attempts to open files outside expected directories.
Malformed HTTP Requests and Edge Cases
- Unusual combinations of headers like both
Content-LengthandTransfer-Encodingin the same request. - Requests containing multiple sets of header values that defy normal patterns.
Cryptographic Parsing Errors
- Logs showing errors referencing CMS or cryptographic decryption failures.
- Unexpected exceptions in libraries that handle decryption.
Detection Rules and Queries
Below are detection queries you can use in Splunk to hunt for evidence of exploitation attempts. You may adapt them to your environment and log formats.
1) Detect Unexpected Service Crashes
index=_internal OR index=os_logs
(sourcetype="splunkd" OR sourcetype="nodejs" OR
message="*FATAL ERROR*" OR
message="*Unhandled exception*" OR
message="*segmentation fault*" OR
message="*core dumped*")
| stats count by host, sourcetype, message
| sort - count
Purpose: Alerts on crashes or unhandled exceptions in Splunk or Node processes.
2) Detect Path Traversal Attempts Using Reserved Device Names
index=web OR index=proxy
sourcetype=access_combined OR sourcetype=nginx:access
| where match(uri_path, "(?i)/CON(/|$)|/PRN(/|$)|/AUX(/|$)")
| table _time, clientip, uri_path, status, useragent
Purpose: Finds HTTP requests where reserved device names appear in the path, a tell-tale sign of exploitation attempts of the Windows path handling issue.
3) Detect Suspicious HTTP Header Combinations
index=proxy sourcetype=nginx:access OR sourcetype=haproxy
| eval hasCL = if(isnotnull(content_length),1,0)
| eval hasTE = if(isnotnull(transfer_encoding),1,0)
| where hasCL==1 AND hasTE==1
| table _time, clientip, uri, content_length, transfer_encoding, useragent
Purpose: Finds requests where both Content-Length and Transfer-Encoding are present — a pattern associated with request parsing edge cases that could indicate smuggling attempts.
4) Detect Cryptographic Parsing Errors
index=main OR index=os_logs
sourcetype=syslog OR sourcetype=application
(message="*CMS*" OR message="*decryption failed*" OR message="*openssl*")
| stats count by _time, host, message
Purpose: Surfaces logs with cryptographic decryption errors, which may signal attempts to exploit CMS parsing.
Response and Remediation Checklist
- Upgrade Splunk Enterprise immediately to one of the fixed versions listed on the official patch page:
https://advisory.splunk.com/advisories/SVD-2026-0211 - Restart all Splunk services after the upgrade and confirm that the upgraded third-party libraries are in place.
- Review custom apps or scripts that bundle their own third-party libraries. They may not benefit from the core Splunk upgrade.
- Run the detection queries regularly and check historical logs for signs of exploitation attempts.
- Monitor crash logs and abnormal service behavior, especially after external traffic spikes.
MITRE ATT&CK Techniques (Relevant to These Issues)
| Technique | Description |
|---|---|
| T1190 — Exploit Public-Facing Application | Attempts to send malicious input to compromise software behavior. |
| T1499 — Denial of Service | Repeated crashes due to processing malformed data. |
In Summary
- Splunk Enterprise included older versions of external libraries that contain serious flaws.
- These flaws range from denial of service to path handling and HTTP processing inconsistencies.
- Even if there is no widely published exploit, attackers can craft inputs to test and reach unpatched systems.
- The answer: patch immediately using the official Splunk upgrade instructions above, and monitor using the detection queries provided.
