CVE-2026-5402
Received Received - Intake
TLS Protocol Heap Overflow in Wireshark 4.6.x

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code execution
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5402
EUVD
EUVD-2026-26318
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the CVE-2026-5402 vulnerability in Wireshark impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-5402 vulnerability is a heap buffer overflow flaw in the TLS protocol dissector of Wireshark versions 4.6.0 through 4.6.4. It occurs due to an integer truncation issue in the processing of TLS Encrypted Client Hello (ECH) extensions, which allows an attacker to write attacker-controlled data beyond the allocated heap buffer.

This flaw can cause Wireshark to crash or potentially execute malicious code if a user opens a specially crafted packet trace file or captures network traffic containing a malicious TLS ClientHello message.

The vulnerability was discovered by Duc Anh Nguyen and is classified as a high severity issue with a CVSS score of 8.8.

Impact Analysis

This vulnerability can impact users by causing denial of service through application crashes or, more severely, by allowing attackers to execute arbitrary code within the context of Wireshark.

An attacker could exploit this by injecting malformed packets into network traffic or tricking a user into opening a malicious packet capture file, potentially compromising the security and stability of the system running Wireshark.

Detection Guidance

This vulnerability can be detected by analyzing network traffic or packet capture files for malformed TLS ClientHello messages that could trigger the heap overflow in Wireshark versions 4.6.0 to 4.6.4.

Specifically, detection involves identifying crafted .pcapng files or network captures containing malicious TLS ClientHello packets that exploit the integer truncation in the ech_outer_extensions processing loop.

While no explicit commands are provided in the resources, users can use Wireshark or command-line tools like tshark to inspect TLS ClientHello packets for anomalies or malformed extensions.

  • Use tshark to filter TLS ClientHello packets: tshark -r capture.pcapng -Y "tls.handshake.type == 1"
  • Manually inspect suspicious ClientHello packets for unusual or malformed extensions that could trigger the vulnerability.
Mitigation Strategies

The primary mitigation step is to upgrade Wireshark to version 4.6.5 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, avoid opening untrusted or suspicious packet capture files that may contain malicious TLS ClientHello packets.

Additionally, be cautious when capturing network traffic that might include maliciously crafted TLS packets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart