CVE-2026-5406
Received Received - Intake
FC-SWILS Protocol Dissector DoS in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5406
EUVD
EUVD-2026-26319
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5406 is a stack overflow vulnerability in the FC-SWILS protocol dissector of Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It occurs because the dissector's function recursively processes nested zone set objects without limiting recursion depth, causing excessive stack consumption. This leads to a crash (segmentation fault) when Wireshark attempts to build the protocol tree for these packets.

The vulnerability is triggered by specially crafted packets that cause the dissector to recurse deeply, overflowing the stack and crashing the application.

Impact Analysis

This vulnerability can cause Wireshark to crash (denial of service) when processing maliciously crafted packets or packet trace files. An attacker could exploit this by injecting malformed packets or tricking a user into opening a malicious capture file, leading to application instability or interruption.

While it does not allow code execution or data compromise, the denial of service could disrupt network analysis or monitoring activities.

Detection Guidance

This vulnerability causes Wireshark to crash with a segmentation fault (SIGSEGV) when processing malformed FC-SWILS packets that contain excessively nested zone set objects.

To detect the vulnerability, you can run tshark with the -V flag on suspicious packet captures containing FC-SWILS traffic. The crash occurs when the protocol tree is built, which requires the -V option.

Example command to test for the crash on a capture file (replace capture.pcap with your file):

  • tshark -r capture.pcap -V

If tshark crashes with a segmentation fault during this command, it indicates the presence of the vulnerability triggered by malformed FC-SWILS packets.

Mitigation Strategies

The primary mitigation is to upgrade Wireshark to a fixed version where this vulnerability is resolved.

  • Upgrade Wireshark to version 4.6.5 or later if you are using the 4.6.x branch.
  • Upgrade Wireshark to version 4.4.15 or later if you are using the 4.4.x branch.

Avoid opening untrusted or suspicious packet capture files that may contain malformed FC-SWILS packets until the upgrade is applied.

Compliance Impact

The provided information does not specify any direct impact of the FC-SWILS protocol dissector crash vulnerability (CVE-2026-5406) on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart