CVE-2026-5408
BT-DHT Protocol Dissector DoS in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5408 is a vulnerability in the BT-DHT protocol dissector of Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It is caused by unchecked recursion in the dissect_bencoded_list() function, which processes deeply nested bencoded lists in BT-DHT packets. This unchecked recursion consumes stack memory at each level, potentially leading to a stack overflow and causing Wireshark to crash.
An attacker can craft a specially designed UDP packet with a large number of nested lists (up to 32,000), which can exhaust the stack space on systems with limited stack size (around 1MB or less), triggering a segmentation fault and crashing Wireshark.
The issue occurs especially when using the 'Decode As' feature on systems with reduced stack limits, while systems with default larger stack sizes (e.g., 8MB) are not affected.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash or become unresponsive when processing maliciously crafted BT-DHT packets or packet trace files containing deeply nested bencoded lists.
An attacker could exploit this by injecting malformed packets or tricking a user into opening a malicious packet capture file, leading to a denial of service (DoS) condition on the system running Wireshark.
Additionally, the vulnerability may cause excessive CPU usage during the processing of such malformed packets.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a crash in Wireshark's BT-DHT dissector triggered by deeply nested bencoded lists in BT-DHT packets. Detection involves identifying malformed or malicious BT-DHT packets with excessive nesting.
One way to detect potential exploitation attempts is to monitor for unusually large or deeply nested BT-DHT UDP packets, especially those approaching 64KB in size with complex nested structures.
On systems where Wireshark is used, you can reproduce or detect the issue by running Wireshark with a reduced stack size limit and attempting to decode suspicious BT-DHT packets using the 'Decode As' feature.
A relevant command to simulate the environment where the crash occurs is to reduce the stack size limit using:
- ulimit -s 1024
Then, open or analyze BT-DHT traffic in Wireshark to see if the crash or excessive recursion occurs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.
- Upgrade to Wireshark version 4.6.5 or later if you are using the 4.6.x branch.
- Upgrade to Wireshark version 4.4.15 or later if you are using the 4.4.x branch.
Avoid opening suspicious or untrusted packet capture files that may contain malformed BT-DHT packets.
If possible, increase the stack size limit on systems running Wireshark to prevent crashes caused by stack exhaustion.