Skip to main content

Wireshark CVE-2026-9759

| EUVDEUVD-2026-32629 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 GitLab GHSA-q2f9-8cg7-wv42
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:25 vuln.today
Patch available
May 27, 2026 - 21:04 EUVD

DescriptionCVE.org

ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service

AnalysisAI

Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

ROHC (Robust Header Compression, RFC 3095) is a header compression protocol primarily used in mobile and cellular network environments to reduce IP/UDP/RTP overhead over lossy links. Wireshark's ROHC dissector parses these compressed headers when analyzing packet captures containing ROHC traffic. The root cause is CWE-476 (NULL Pointer Dereference): when the dissector encounters a malformed or adversarially crafted ROHC packet, it attempts to dereference a pointer that has not been properly initialized or validated, resulting in a segmentation fault and process crash. The CPE identifier cpe:2.3:a:wireshark_foundation:wireshark:*:*:*:*:*:*:*:* covers both affected branches. This class of bug is common in protocol dissectors that process complex, variable-length header fields without exhaustive input validation at every dereference point.

RemediationAI

Upgrade to Wireshark 4.6.6 (for users on the 4.6.x branch) or Wireshark 4.4.16 (for users on the 4.4.x branch) - these are the confirmed patched releases per EUVD-2026-32629 and the vendor advisory at https://www.wireshark.org/security/wnpa-sec-2026-51.html. If immediate upgrade is not feasible, a compensating control is to disable the ROHC dissector within Wireshark's protocol preferences (Analyze > Enabled Protocols), which prevents the vulnerable code path from executing when parsing capture files; the trade-off is loss of ROHC traffic decoding capability. Additionally, restrict analysts to opening only capture files from trusted, verified sources, and avoid opening unsolicited or externally provided .pcap/.pcapng files until patched.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-9759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy