CVE-2026-5407
Received Received - Intake
SMB2 Protocol Infinite Loop in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
SMB2 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5407
EUVD
EUVD-2026-26320
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-5407 is a denial-of-service vulnerability in Wireshark's SMB2 protocol dissector that causes an infinite loop in specific functions handling SMB2 packets.

The issue occurs because the dissector does not properly validate the 'next_offset' field in SMB2 packets, allowing crafted packets to create a cycle through unsigned integer wraparound.

This infinite loop causes Wireshark's tshark tool to consume 100% CPU indefinitely until it is forcibly terminated.

The vulnerability affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 and can be triggered by sending a specially crafted 104-byte packet to port 445 or by opening a malicious packet trace file.

Impact Analysis

This vulnerability can cause Wireshark to enter an infinite loop, leading to 100% CPU usage and effectively causing a denial of service.

An attacker can exploit this by sending a malformed SMB2 packet over the network or by tricking a user into opening a malicious packet capture file.

The impact is primarily a disruption of service, as Wireshark or tshark will become unresponsive and require termination.

Detection Guidance

This vulnerability can be detected by monitoring for unusual CPU usage by Wireshark or tshark processes, as the infinite loop causes 100% CPU consumption indefinitely.

Specifically, a crafted 104-byte malicious SMB2 packet sent to port 445 triggers the issue.

To detect potential exploitation attempts, you can capture and analyze SMB2 traffic on port 445 for malformed packets with suspicious 'next_offset' fields.

  • Use tshark or tcpdump to capture SMB2 traffic on port 445, for example: tcpdump -i <interface> port 445 -w smb2_capture.pcap
  • Analyze captured packets with Wireshark or tshark, watching for abnormal CPU spikes or hangs when dissecting SMB2 packets.
  • Monitor system processes for tshark or Wireshark consuming excessive CPU resources, which may indicate triggering of the infinite loop.
Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to version 4.6.5, 4.4.15, or later, where the vulnerability has been fixed.

Until the upgrade is applied, avoid opening untrusted or suspicious SMB2 packet capture files in Wireshark or tshark.

Additionally, consider monitoring and filtering SMB2 traffic on port 445 to prevent malicious packets from reaching systems running vulnerable Wireshark versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart