CVE-2026-5653
DCP-ETSI Protocol Dissector DoS in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5653 is a heap buffer overflow vulnerability in the DCP-ETSI PFT Reed-Solomon error correction dissector of Wireshark. It occurs when processing specially crafted PCAP files containing DCP-ETSI PFT fragments with forward error correction enabled and a specific parameter (RSk) set to 0.
The vulnerability arises because the Reed-Solomon decoder operates on fixed 255-byte blocks, but the output buffer is allocated based on smaller sizes, allowing the decoder to write up to 55 bytes beyond the allocated heap buffer. This overflow is triggered during the reassembly of fragments when the last fragment arrives.
Since the DCP-ETSI dissector automatically processes UDP packets starting with specific bytes without requiring special port configuration, simply opening a maliciously crafted file or receiving a malicious packet can trigger the vulnerability, causing Wireshark to crash.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing Wireshark when it processes malformed or maliciously crafted packets or packet capture files.
An attacker could exploit this by sending a malformed packet over the network or tricking a user into opening a malicious packet trace file, leading to application crashes and potential disruption of network analysis activities.
There are no known exploits currently, but users are advised to upgrade to fixed versions to avoid this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is triggered by UDP packets starting with the bytes "PF" (0x5046) and a valid CRC-16 header, which are automatically dissected by the DCP-ETSI dissector in Wireshark.
To detect this vulnerability on your network or system, you can monitor for UDP traffic containing packets beginning with the bytes 0x5046 and a valid CRC-16 header.
Using Wireshark itself, you can filter for such packets with a display filter like: udp and data[0:2] == 0x5046
Additionally, running Wireshark with AddressSanitizer (ASAN) enabled can help detect heap buffer overflows triggered by malformed DCP-ETSI packets.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to version 4.6.5, 4.4.15, or later, where this vulnerability has been fixed.
Until the upgrade is applied, avoid opening untrusted or suspicious packet capture files that may contain crafted DCP-ETSI fragments.
Be cautious of UDP traffic containing packets starting with "PF" (0x5046) and a valid CRC-16 header, as these may trigger the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.