CVE-2026-5654
Received Received - Intake
AMR-NB Codec Crash in Wireshark Allows DoS

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
AMR-NB codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5654
EUVD
EUVD-2026-26324
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5654 is a vulnerability in Wireshark's AMR-NB audio codec that causes the application to crash. It affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The crash happens when Wireshark processes malformed packets or packet trace files containing malformed data, specifically due to a stack buffer overflow in the AMR-NB Bandwidth-Efficient Codec Decoder.

This overflow occurs when processing RTP payloads encoded in mode 7 (AMR 12.2 kbps), where the function codec_amr_decode() writes one byte beyond the end of a 32-byte stack buffer. This out-of-bounds write is triggered by attacker-controlled packet data, leading to a crash or potentially more severe consequences.

Impact Analysis

This vulnerability can cause Wireshark to crash immediately when processing maliciously crafted packets or trace files. An attacker could exploit this by convincing a user to open a specially crafted PCAP file or inject malformed packets into the network.

The impact is primarily a denial of service (DoS), disrupting the use of Wireshark for network analysis. Additionally, due to the stack buffer overflow, there is a potential risk of arbitrary code execution, which could lead to further compromise of the system running Wireshark.

Detection Guidance

This vulnerability can be detected by identifying malformed AMR-NB codec packets or malformed packet trace files that cause Wireshark to crash when processed.

One practical approach is to monitor for crashes of Wireshark when opening or analyzing network captures containing AMR-NB audio codec data, especially RTP streams encoded in mode 7 (AMR 12.2 kbps).

While no specific commands are provided in the resources, you can use Wireshark to open suspicious PCAP files and observe if the application crashes, indicating the presence of the malformed packets triggering the vulnerability.

Additionally, analyzing RTP streams with filters such as "rtp.payload_type == <AMR-NB payload type>" in Wireshark might help isolate potentially malicious packets.

Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to version 4.6.5 or 4.4.15 or later, as these versions contain fixes for the AMR-NB codec crash vulnerability.

Until the upgrade is applied, avoid opening untrusted or suspicious PCAP files that may contain malformed AMR-NB codec data.

Also, be cautious when analyzing network traffic that includes AMR-NB RTP streams, especially those encoded in mode 7, to prevent triggering the crash.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart