CVE-2026-3203
Protocol Dissector Crash in Wireshark Causes Denial of Service
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (exc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-126 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3203 is a vulnerability in Wireshark versions 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 involving the RF4CE Profile protocol dissector. The issue is caused by a memory safety flaw in the ZigBee security CCM decryption code used by the RF4CE network dissector. Specifically, a malformed capture file can trigger a segmentation fault due to an invalid memory read during decryption, leading to a crash of the Wireshark application.
The root cause is a use-after-free or out-of-bounds read vulnerability detected by AddressSanitizer during fuzz testing. This occurs in the function responsible for decrypting ZigBee security data, which causes the application to abort when processing crafted network packets.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash (denial of service) when processing specially crafted RF4CE network packets. An attacker could exploit this flaw by providing a malformed capture file or network traffic that triggers the crash, disrupting network analysis or monitoring activities.
While the primary impact is denial of service, the underlying memory corruption could potentially be exploited for more severe consequences, although this is not explicitly confirmed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing crashes in Wireshark or tshark when processing RF4CE network packets, especially malformed capture files that trigger the RF4CE dissector crash.
A practical detection method is to run tshark with AddressSanitizer enabled on suspicious capture files containing RF4CE traffic and monitor for segmentation faults or crashes related to the zbee_sec_ccm_decrypt function.
An example command to test a capture file for this vulnerability is:
- ASAN_OPTIONS=detect_leaks=0 tshark -r <capture_file.pcap>
Replace <capture_file.pcap> with a capture file containing RF4CE packets. If tshark crashes with a segmentation fault during processing, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of vulnerable versions of Wireshark (4.4.0 to 4.4.13 and 4.6.0 to 4.6.3) for analyzing RF4CE network traffic.
If analysis of RF4CE packets is necessary, consider upgrading to a patched version of Wireshark once available or using alternative tools that do not contain this vulnerability.
Additionally, avoid opening untrusted or malformed capture files that may trigger the crash.