CVE-2026-5407
SMB2 Protocol Infinite Loop in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5407 is a denial-of-service vulnerability in Wireshark's SMB2 protocol dissector that causes an infinite loop in specific functions handling SMB2 packets.
The issue occurs because the dissector does not properly validate the 'next_offset' field in SMB2 packets, allowing crafted packets to create a cycle through unsigned integer wraparound.
This infinite loop causes Wireshark's tshark tool to consume 100% CPU indefinitely until it is forcibly terminated.
The vulnerability affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 and can be triggered by sending a specially crafted 104-byte packet to port 445 or by opening a malicious packet trace file.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to enter an infinite loop, leading to 100% CPU usage and effectively causing a denial of service.
An attacker can exploit this by sending a malformed SMB2 packet over the network or by tricking a user into opening a malicious packet capture file.
The impact is primarily a disruption of service, as Wireshark or tshark will become unresponsive and require termination.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual CPU usage by Wireshark or tshark processes, as the infinite loop causes 100% CPU consumption indefinitely.
Specifically, a crafted 104-byte malicious SMB2 packet sent to port 445 triggers the issue.
To detect potential exploitation attempts, you can capture and analyze SMB2 traffic on port 445 for malformed packets with suspicious 'next_offset' fields.
- Use tshark or tcpdump to capture SMB2 traffic on port 445, for example: tcpdump -i <interface> port 445 -w smb2_capture.pcap
- Analyze captured packets with Wireshark or tshark, watching for abnormal CPU spikes or hangs when dissecting SMB2 packets.
- Monitor system processes for tshark or Wireshark consuming excessive CPU resources, which may indicate triggering of the infinite loop.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to version 4.6.5, 4.4.15, or later, where the vulnerability has been fixed.
Until the upgrade is applied, avoid opening untrusted or suspicious SMB2 packet capture files in Wireshark or tshark.
Additionally, consider monitoring and filtering SMB2 traffic on port 445 to prevent malicious packets from reaching systems running vulnerable Wireshark versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.