Skip to main content

Wireshark CVE-2026-5654

| EUVDEUVD-2026-26324 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-04-30 GitLab
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
May 01, 2026 - 17:02 nvd
Patch available
Patch available
Apr 30, 2026 - 08:16 EUVD
Analysis Generated
Apr 30, 2026 - 06:47 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 06:30 euvd
EUVD-2026-26324
Analysis Generated
Apr 30, 2026 - 06:30 vuln.today
CVE Published
Apr 30, 2026 - 05:39 nvd
MEDIUM 5.5

DescriptionCVE.org

AMR-NB codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

AnalysisAI

Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via stack buffer overflow in the AMR-NB codec decoder allows local attackers with user interaction to crash the application. The vulnerability requires opening a specially crafted network capture file, making it exploitable in scenarios where users are tricked into opening untrusted PCAP files or when Wireshark auto-opens recent captures.

Technical ContextAI

Wireshark's AMR-NB (Adaptive Multi-Rate Narrowband) codec dissector contains a stack-based buffer overflow (CWE-121) triggered during packet parsing. The AMR-NB codec is used to decode voice traffic in cellular networks and VoIP applications. The overflow occurs in the codec's decoding routine when processing malformed or oversized AMR-NB payloads embedded in network traffic captures. This is a memory safety issue in the packet dissection layer where input validation or bounds checking on AMR-NB frame sizes is insufficient.

RemediationAI

Upgrade to patched versions: Wireshark 4.6.5 or later (for 4.6.x branch) or Wireshark 4.4.15 or later (for 4.4.x branch). Users unable to immediately patch should avoid opening PCAP files from untrusted sources, particularly those suspected of containing AMR-NB codec traffic or VoIP captures. Implement file sandboxing for PCAP analysis by running Wireshark in isolated environments (containers, VMs) when processing unknown captures. Network segmentation can reduce the likelihood of untrusted files reaching analyst systems. Until patching is possible, disable the AMR-NB dissector plugin if it is not required for your analysis workflows (Wireshark menu: Analyze → Enabled Protocols → uncheck AMR-NB), though this reduces functionality for legitimate VoIP packet inspection.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed

Share

CVE-2026-5654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy