CVE-2026-3203
Awaiting Analysis Awaiting Analysis - Queue
Protocol Dissector Crash in Wireshark Causes Denial of Service

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: GitLab Inc.

Description
RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3203
EUVD
EUVD-2026-8662
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (exc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3203 is a vulnerability in Wireshark versions 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 involving the RF4CE Profile protocol dissector. The issue is caused by a memory safety flaw in the ZigBee security CCM decryption code used by the RF4CE network dissector. Specifically, a malformed capture file can trigger a segmentation fault due to an invalid memory read during decryption, leading to a crash of the Wireshark application.

The root cause is a use-after-free or out-of-bounds read vulnerability detected by AddressSanitizer during fuzz testing. This occurs in the function responsible for decrypting ZigBee security data, which causes the application to abort when processing crafted network packets.

Impact Analysis

This vulnerability can cause Wireshark to crash (denial of service) when processing specially crafted RF4CE network packets. An attacker could exploit this flaw by providing a malformed capture file or network traffic that triggers the crash, disrupting network analysis or monitoring activities.

While the primary impact is denial of service, the underlying memory corruption could potentially be exploited for more severe consequences, although this is not explicitly confirmed.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing crashes in Wireshark or tshark when processing RF4CE network packets, especially malformed capture files that trigger the RF4CE dissector crash.

A practical detection method is to run tshark with AddressSanitizer enabled on suspicious capture files containing RF4CE traffic and monitor for segmentation faults or crashes related to the zbee_sec_ccm_decrypt function.

An example command to test a capture file for this vulnerability is:

  • ASAN_OPTIONS=detect_leaks=0 tshark -r <capture_file.pcap>

Replace <capture_file.pcap> with a capture file containing RF4CE packets. If tshark crashes with a segmentation fault during processing, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of vulnerable versions of Wireshark (4.4.0 to 4.4.13 and 4.6.0 to 4.6.3) for analyzing RF4CE network traffic.

If analysis of RF4CE packets is necessary, consider upgrading to a patched version of Wireshark once available or using alternative tools that do not contain this vulnerability.

Additionally, avoid opening untrusted or malformed capture files that may trigger the crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart