Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3201 is a denial-of-service vulnerability in Wireshark's USB HID protocol dissector. It occurs because the function parse_report_descriptor() does not properly limit the size of memory allocations when parsing USB HID Report Descriptors."}, {'type': 'paragraph', 'content': 'Specifically, the function tries to allocate memory for an array based on usage ranges defined by USAGE_MINIMUM and USAGE_MAXIMUM values without checking if the range is excessively large. This can lead to very large memory allocations and excessive CPU usage.'}, {'type': 'paragraph', 'content': 'For example, if USAGE_MINIMUM is 0 and USAGE_MAXIMUM is set to a very large number (like 0x10000000), Wireshark attempts to allocate about 1GB of memory and perform hundreds of millions of iterations, exhausting system resources and causing the application to crash or become unresponsive.'}, {'type': 'paragraph', 'content': 'This vulnerability is a regression caused by the removal of a previous safeguard that limited the maximum allowed array size. The fix involves reintroducing this size limit check to prevent excessive memory allocation.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause Wireshark to consume excessive memory and CPU resources when processing crafted USB HID Report Descriptors, leading to denial of service.

An attacker could exploit this by sending specially crafted USB HID data that triggers large memory allocations and intensive processing, causing Wireshark to crash or become unresponsive.

This denial of service can disrupt network analysis activities, potentially delaying troubleshooting or security monitoring that relies on Wireshark.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring Wireshark's behavior when parsing USB HID Report Descriptors, especially those containing unusually large USAGE_MINIMUM and USAGE_MAXIMUM values."}, {'type': 'paragraph', 'content': 'A proof-of-concept involves crafting a USB HID Report Descriptor with USAGE_MINIMUM set to 0 and USAGE_MAXIMUM set to a very large value (e.g., 0x10000000), which causes Wireshark to allocate excessive memory and CPU resources.'}, {'type': 'paragraph', 'content': 'To detect attempts to exploit this vulnerability, you can use Wireshark to capture USB traffic and inspect the USB HID Report Descriptors for abnormally large usage ranges.'}, {'type': 'paragraph', 'content': "While no specific commands are provided, a practical approach is to filter USB HID traffic in Wireshark using display filters such as 'usb.device_class == 0x03' (HID class) and manually inspect or script analysis of the Report Descriptor fields for suspiciously large usage ranges."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update Wireshark to a version where the vulnerability is fixed, specifically versions that have reintroduced the size limit check on the USB HID usage range allocation.

If updating is not immediately possible, avoid capturing or analyzing untrusted USB HID traffic that could contain maliciously crafted Report Descriptors.

Additionally, consider applying patches or workarounds that restore the maximum array size check (MAX_REPORT_DESCRIPTOR_COUNT) in the USB HID dissector code to prevent excessive memory allocation.

Useful 0 Not Useful 0