CVE-2026-5654
AMR-NB Codec Crash in Wireshark Allows DoS
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5654 is a vulnerability in Wireshark's AMR-NB audio codec that causes the application to crash. It affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The crash happens when Wireshark processes malformed packets or packet trace files containing malformed data, specifically due to a stack buffer overflow in the AMR-NB Bandwidth-Efficient Codec Decoder.
This overflow occurs when processing RTP payloads encoded in mode 7 (AMR 12.2 kbps), where the function codec_amr_decode() writes one byte beyond the end of a 32-byte stack buffer. This out-of-bounds write is triggered by attacker-controlled packet data, leading to a crash or potentially more severe consequences.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash immediately when processing maliciously crafted packets or trace files. An attacker could exploit this by convincing a user to open a specially crafted PCAP file or inject malformed packets into the network.
The impact is primarily a denial of service (DoS), disrupting the use of Wireshark for network analysis. Additionally, due to the stack buffer overflow, there is a potential risk of arbitrary code execution, which could lead to further compromise of the system running Wireshark.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying malformed AMR-NB codec packets or malformed packet trace files that cause Wireshark to crash when processed.
One practical approach is to monitor for crashes of Wireshark when opening or analyzing network captures containing AMR-NB audio codec data, especially RTP streams encoded in mode 7 (AMR 12.2 kbps).
While no specific commands are provided in the resources, you can use Wireshark to open suspicious PCAP files and observe if the application crashes, indicating the presence of the malformed packets triggering the vulnerability.
Additionally, analyzing RTP streams with filters such as "rtp.payload_type == <AMR-NB payload type>" in Wireshark might help isolate potentially malicious packets.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to version 4.6.5 or 4.4.15 or later, as these versions contain fixes for the AMR-NB codec crash vulnerability.
Until the upgrade is applied, avoid opening untrusted or suspicious PCAP files that may contain malformed AMR-NB codec data.
Also, be cautious when analyzing network traffic that includes AMR-NB RTP streams, especially those encoded in mode 7, to prevent triggering the crash.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.