Executive Summary

CVE-2025-13945 is a vulnerability in Wireshark versions 4.6.0 and 4.6.1 where the HTTP/3 dissector crashes or causes the application to freeze and use excessive CPU when processing a decrypted HTTP/3 conversation containing a HEADERS frame with many headers. This happens when loading a capture file with an injected SSLKEYLOG file, leading to denial of service by making Wireshark unresponsive. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause Wireshark to freeze and consume high CPU resources when analyzing certain HTTP/3 traffic captures, resulting in denial of service. This can disrupt network analysis and troubleshooting activities, potentially delaying incident response or forensic investigations. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing Wireshark behavior when processing decrypted HTTP/3 traffic containing HEADERS frames with a large number of headers. Specifically, loading a capture file (e.g., qpack.pcapng) with an injected SSLKEYLOG file in Wireshark versions 4.6.0 or 4.6.1 may cause the application to freeze or exhibit high CPU usage. To detect this, you can attempt to load such a capture file in the affected Wireshark versions and observe for freezes or excessive CPU consumption. There are no specific commands provided for detection in the resources. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Wireshark versions 4.6.0 and 4.6.1 for analyzing decrypted HTTP/3 traffic with large HEADERS frames. Consider upgrading to a fixed version of Wireshark once available or refrain from loading capture files that trigger the issue. Monitoring for updates or patches from the Wireshark Foundation is recommended. [1]

Useful 0 Not Useful 0