CVE-2026-5402
TLS Protocol Heap Overflow in Wireshark 4.6.x
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-5402 vulnerability is a heap buffer overflow flaw in the TLS protocol dissector of Wireshark versions 4.6.0 through 4.6.4. It occurs due to an integer truncation issue in the processing of TLS Encrypted Client Hello (ECH) extensions, which allows an attacker to write attacker-controlled data beyond the allocated heap buffer.
This flaw can cause Wireshark to crash or potentially execute malicious code if a user opens a specially crafted packet trace file or captures network traffic containing a malicious TLS ClientHello message.
The vulnerability was discovered by Duc Anh Nguyen and is classified as a high severity issue with a CVSS score of 8.8.
How can this vulnerability impact me? :
This vulnerability can impact users by causing denial of service through application crashes or, more severely, by allowing attackers to execute arbitrary code within the context of Wireshark.
An attacker could exploit this by injecting malformed packets into network traffic or tricking a user into opening a malicious packet capture file, potentially compromising the security and stability of the system running Wireshark.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing network traffic or packet capture files for malformed TLS ClientHello messages that could trigger the heap overflow in Wireshark versions 4.6.0 to 4.6.4.
Specifically, detection involves identifying crafted .pcapng files or network captures containing malicious TLS ClientHello packets that exploit the integer truncation in the ech_outer_extensions processing loop.
While no explicit commands are provided in the resources, users can use Wireshark or command-line tools like tshark to inspect TLS ClientHello packets for anomalies or malformed extensions.
- Use tshark to filter TLS ClientHello packets: tshark -r capture.pcapng -Y "tls.handshake.type == 1"
- Manually inspect suspicious ClientHello packets for unusual or malformed extensions that could trigger the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to version 4.6.5 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, avoid opening untrusted or suspicious packet capture files that may contain malicious TLS ClientHello packets.
Additionally, be cautious when capturing network traffic that might include maliciously crafted TLS packets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-5402 vulnerability in Wireshark impacts compliance with common standards and regulations such as GDPR or HIPAA.