CVE-2026-5406
FC-SWILS Protocol Dissector DoS in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the FC-SWILS protocol dissector crash vulnerability (CVE-2026-5406) on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5406 is a stack overflow vulnerability in the FC-SWILS protocol dissector of Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It occurs because the dissector's function recursively processes nested zone set objects without limiting recursion depth, causing excessive stack consumption. This leads to a crash (segmentation fault) when Wireshark attempts to build the protocol tree for these packets.
The vulnerability is triggered by specially crafted packets that cause the dissector to recurse deeply, overflowing the stack and crashing the application.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash (denial of service) when processing maliciously crafted packets or packet trace files. An attacker could exploit this by injecting malformed packets or tricking a user into opening a malicious capture file, leading to application instability or interruption.
While it does not allow code execution or data compromise, the denial of service could disrupt network analysis or monitoring activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes Wireshark to crash with a segmentation fault (SIGSEGV) when processing malformed FC-SWILS packets that contain excessively nested zone set objects.
To detect the vulnerability, you can run tshark with the -V flag on suspicious packet captures containing FC-SWILS traffic. The crash occurs when the protocol tree is built, which requires the -V option.
Example command to test for the crash on a capture file (replace capture.pcap with your file):
- tshark -r capture.pcap -V
If tshark crashes with a segmentation fault during this command, it indicates the presence of the vulnerability triggered by malformed FC-SWILS packets.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Wireshark to a fixed version where this vulnerability is resolved.
- Upgrade Wireshark to version 4.6.5 or later if you are using the 4.6.x branch.
- Upgrade Wireshark to version 4.4.15 or later if you are using the 4.4.x branch.
Avoid opening untrusted or suspicious packet capture files that may contain malformed FC-SWILS packets until the upgrade is applied.