Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Crafted UMTS FP frame parsed over the network with low complexity and no auth causes only an application crash, so A:H with C:N/I:N and no scope change.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionNVD
UMTS FP protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
AnalysisAI
Denial of service in Wireshark's UMTS FP protocol dissector affects the 4.6.0-4.6.6 and 4.4.0-4.4.16 release branches, where a malformed UMTS Frame Protocol packet triggers a heap-based buffer overflow (CWE-122) that crashes the application. A remote attacker who can get the crafted frame parsed - via live capture on a monitored segment or a shared capture file - can reliably terminate the analyzer, with no confidentiality or integrity impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Wireshark actually dissect a crafted UMTS FP (UMTS Frame Protocol) packet - the attacker must get that packet into a capture the victim is analyzing, either by injecting it onto a network segment during a live capture or by supplying a malicious capture file the analyst opens. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent and point to a moderate, availability-only issue rather than a top-priority emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malformed UMTS FP frame and either injects it onto a network segment where an analyst is running a live Wireshark capture, or delivers it inside a capture file shared with the analyst. When Wireshark's UMTS FP dissector parses the frame, the heap buffer overflow triggers and the application crashes, interrupting the analyst's monitoring or investigation. … |
| Remediation | Vendor-released patch: upgrade to Wireshark 4.6.7 (for the 4.6.x branch) or 4.4.17 (for the 4.4.x branch), the first fixed releases per the vendor advisory wnpa-sec-2026-59 (https://www.wireshark.org/security/wnpa-sec-2026-59.html). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Wireshark installations on analyst workstations and SOC systems running versions 4.4.0-4.4.16 or 4.6.0-4.6.6; alert teams to exercise caution with untrusted capture files and restrict live captures to trusted network segments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10
The dissect_capwap_data function in epan/dissectors/packet-capwap.c in the CAPWAP dissector in Wireshark 1.6.x before 1.
The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an un
wiretap/libpcap.c in the libpcap file parser in Wireshark 1.10.x before 1.10.4 allows remote attackers to execute arbitr
In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. Rated high severity (CVSS 7.5), this vulnerability is remot
In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissector could crash. Rated high severity (CVSS 7.5), t
In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL pointer dereference. Rated high severity (CVSS 7.
A denial of service vulnerability in Column handling crashes in Wireshark 4.4.0 to 4.4.6 and 4.2.0 to 4.2.12 (CVSS 7.8)
BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injecti
CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file.
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or cra
RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection o
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42416
GHSA-9gc8-6grc-r8pc