CVE-2026-6523
GNW Protocol Dissector Infinite Loop in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6523 vulnerability in Wireshark is caused by an infinite loop in the GNW (GeoNetworking) protocol dissector. This occurs when Wireshark processes a malformed GeoNetworking packet containing a variable-length field with an extremely large value. The dissector attempts to handle this field by creating an excessive number of payload tree items, leading to excessive CPU and memory consumption.
This infinite loop and excessive memory allocation can cause Wireshark to hang or crash, resulting in a denial of service. The vulnerability affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14.
How can this vulnerability impact me? :
Exploitation of this vulnerability can cause Wireshark to consume excessive CPU and memory resources, potentially leading to application crashes or system instability.
An attacker could exploit this by injecting a malformed packet or tricking a user into opening a malicious packet trace file, causing a denial of service on the affected system.
This may disrupt network analysis activities and could impact availability of the Wireshark application during critical troubleshooting or monitoring tasks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing network traffic or packet capture files for malformed GeoNetworking (GNW) packets that contain a variable-length field with a value of 0x1f, which leads to excessive resource consumption in Wireshark.
A practical way to detect the vulnerability is to use the command-line version of Wireshark, tshark, to analyze suspicious pcap files. The vulnerability can be triggered by processing a specially crafted pcap file that causes Wireshark to enter an infinite loop and consume excessive memory.
- Use tshark to analyze packet capture files: `tshark -r suspicious_file.pcap`
- Monitor Wireshark or tshark processes for unusually high CPU or memory usage when opening or analyzing GNW protocol packets.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Wireshark to version 4.6.5, 4.4.15, or later, where this vulnerability has been fixed.
Until the upgrade can be applied, avoid opening or analyzing untrusted or suspicious packet capture files that may contain malformed GNW packets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6523 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.