Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Crafted remote capture data (AV:N) but an analyst must launch ciscodump against the source (UI:R); only the tool process crashes, so C/I:N and A:L, matching SSVC's 'partial' technical impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
10DescriptionNVD
Crash in ciscodump 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
AnalysisAI
Denial of service in Wireshark's ciscodump remote capture utility (extcap) affects versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a heap-based buffer overflow (CWE-122) can crash the capture tool. An attacker able to feed crafted data to a running ciscodump session can terminate the process, disrupting live packet capture. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that ciscodump (the Wireshark remote Cisco capture extcap) be actively used to capture from a source the attacker can influence - i.e., the analyst must initiate a ciscodump capture against a malicious or compromised Cisco device (or a network path where crafted data can be injected). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, score 7.5) rates this as network-reachable, unauthenticated, no-interaction with high availability impact - but this framing is in tension with ciscodump's real-world usage: it is an analyst-driven tool that an operator must actively launch and point at a remote Cisco source, so no-interaction network exploitation of a passive listener is unlikely. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An analyst uses ciscodump to remotely capture traffic from a Cisco device that is attacker-controlled or has been compromised; the device returns malformed capture data that triggers the heap-based buffer overflow and crashes ciscodump, aborting the capture session. A POC is referenced in the SSVC data, though no weaponized public exploit was identified. … |
| Remediation | Vendor-released patch: upgrade Wireshark to 4.6.7 or 4.4.17 (or later), which contain the fix for the ciscodump heap overflow, per Wireshark advisory wnpa-sec-2026-63 (https://www.wireshark.org/security/wnpa-sec-2026-63.html). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Wireshark versions 4.6.0-4.6.6 or 4.4.0-4.4.16 where ciscodump is actively used for network monitoring. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10
The dissect_capwap_data function in epan/dissectors/packet-capwap.c in the CAPWAP dissector in Wireshark 1.6.x before 1.
The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an un
wiretap/libpcap.c in the libpcap file parser in Wireshark 1.10.x before 1.10.4 allows remote attackers to execute arbitr
In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. Rated high severity (CVSS 7.5), this vulnerability is remot
In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissector could crash. Rated high severity (CVSS 7.5), t
In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL pointer dereference. Rated high severity (CVSS 7.
A denial of service vulnerability in Column handling crashes in Wireshark 4.4.0 to 4.4.6 and 4.2.0 to 4.2.12 (CVSS 7.8)
BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injecti
CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file.
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or cra
RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection o
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42410
GHSA-w5mx-46xm-8f3v