CVE-2026-3201
Memory Exhaustion in Wireshark USB HID Dissector Causes DoS
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (exc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-1325 | The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3201 is a denial-of-service vulnerability in Wireshark's USB HID protocol dissector. It occurs because the function parse_report_descriptor() does not properly limit the size of memory allocations when parsing USB HID Report Descriptors."}, {'type': 'paragraph', 'content': 'Specifically, the function tries to allocate memory for an array based on usage ranges defined by USAGE_MINIMUM and USAGE_MAXIMUM values without checking if the range is excessively large. This can lead to very large memory allocations and excessive CPU usage.'}, {'type': 'paragraph', 'content': 'For example, if USAGE_MINIMUM is 0 and USAGE_MAXIMUM is set to a very large number (like 0x10000000), Wireshark attempts to allocate about 1GB of memory and perform hundreds of millions of iterations, exhausting system resources and causing the application to crash or become unresponsive.'}, {'type': 'paragraph', 'content': 'This vulnerability is a regression caused by the removal of a previous safeguard that limited the maximum allowed array size. The fix involves reintroducing this size limit check to prevent excessive memory allocation.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to consume excessive memory and CPU resources when processing crafted USB HID Report Descriptors, leading to denial of service.
An attacker could exploit this by sending specially crafted USB HID data that triggers large memory allocations and intensive processing, causing Wireshark to crash or become unresponsive.
This denial of service can disrupt network analysis activities, potentially delaying troubleshooting or security monitoring that relies on Wireshark.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring Wireshark's behavior when parsing USB HID Report Descriptors, especially those containing unusually large USAGE_MINIMUM and USAGE_MAXIMUM values."}, {'type': 'paragraph', 'content': 'A proof-of-concept involves crafting a USB HID Report Descriptor with USAGE_MINIMUM set to 0 and USAGE_MAXIMUM set to a very large value (e.g., 0x10000000), which causes Wireshark to allocate excessive memory and CPU resources.'}, {'type': 'paragraph', 'content': 'To detect attempts to exploit this vulnerability, you can use Wireshark to capture USB traffic and inspect the USB HID Report Descriptors for abnormally large usage ranges.'}, {'type': 'paragraph', 'content': "While no specific commands are provided, a practical approach is to filter USB HID traffic in Wireshark using display filters such as 'usb.device_class == 0x03' (HID class) and manually inspect or script analysis of the Report Descriptor fields for suspiciously large usage ranges."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Wireshark to a version where the vulnerability is fixed, specifically versions that have reintroduced the size limit check on the USB HID usage range allocation.
If updating is not immediately possible, avoid capturing or analyzing untrusted USB HID traffic that could contain maliciously crafted Report Descriptors.
Additionally, consider applying patches or workarounds that restore the maximum array size check (MAX_REPORT_DESCRIPTOR_COUNT) in the USB HID dissector code to prevent excessive memory allocation.