CVE-2026-5401
AFP Spotlight Protocol Denial of Service in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5401 is a stack overflow vulnerability in Wireshark's AFP (Apple Filing Protocol) dissector, specifically in the spotlight_dissect_query_loop() function.
The issue arises from unbounded recursion when processing Spotlight query entries, which leads to a stack overflow and causes Wireshark to crash with a segmentation fault (SIGSEGV).
This vulnerability can be triggered by either a malicious pcap file or network traffic on TCP port 548 containing nested query structures with high recursion levels.
The root cause is that the recursion depth is controlled by attacker-supplied data in the packet, and without specific flags, Wireshark does not enforce depth limits, allowing the stack overflow.
The vulnerability affects tshark when run without the -V flag but does not impact the Wireshark GUI or tshark with the -V flag enabled.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark or tshark to crash unexpectedly, resulting in a denial of service.
An attacker could exploit this by injecting malformed AFP packets into the network or by tricking a user into opening a malicious packet capture file, causing the application to crash.
While this does not lead to data compromise, it disrupts normal operation and analysis, potentially impacting network troubleshooting or monitoring activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic on TCP port 548, which is used by the AFP protocol. Malformed or specially crafted packets with nested Spotlight query structures causing high recursion levels may trigger the vulnerability.
Using Wireshark or tshark to analyze captured traffic on TCP port 548 can help identify suspicious packets. However, note that tshark run without the -V flag is vulnerable to crashing due to this issue.
A suggested command to capture and analyze traffic on TCP port 548 is:
- tcpdump -i <interface> tcp port 548 -w afp_traffic.pcap
Then analyze the capture with tshark using the verbose flag to avoid crashes:
- tshark -r afp_traffic.pcap -V
This approach helps detect malformed AFP Spotlight packets that could exploit the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.
- Upgrade to Wireshark version 4.6.5 or later.
- Upgrade to Wireshark version 4.4.15 or later if using the 4.4.x series.
Additionally, when using tshark, run it with the -V flag enabled to prevent crashes caused by this vulnerability.
Avoid opening untrusted or suspicious packet capture files that may contain malformed AFP Spotlight packets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.