CVE-2026-6526
RTSP Protocol Dissector Crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash when processing specially crafted malformed RTSP packets or malicious packet capture files. The impact is primarily a denial-of-service (DoS), where the application becomes unavailable or unstable due to the crash.
An attacker could exploit this by injecting malformed packets into the network or tricking a user into opening a malicious packet trace file, causing Wireshark to crash and potentially disrupting network analysis or monitoring activities.
Can you explain this vulnerability to me?
CVE-2026-6526 is a vulnerability in Wireshark versions 4.6.0 to 4.6.4 affecting the RTSP protocol dissector. It is caused by a NULL pointer dereference triggered by a malformed RTSP DESCRIBE request containing a URL with a question mark before the protocol separator (e.g., "?://x"). This malformed URL causes a function to return NULL, leading to a crash when the program tries to access memory at that NULL pointer.
The crash happens during HTTP header parsing in the dissect_http function, specifically in the determine_http_location_target routine. This can be triggered by opening a malicious PCAP file or processing it with tshark, resulting in a segmentation fault and denial-of-service condition.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for malformed RTSP DESCRIBE requests containing a URI with a question mark before the protocol separator, such as "?://x". Such packets may cause Wireshark to crash when dissecting the RTSP protocol.
One way to detect this is by capturing network traffic and inspecting RTSP DESCRIBE requests for suspicious URIs matching the pattern "?://" before the protocol separator.
Additionally, processing packet capture files with tshark or Wireshark and observing for crashes or segmentation faults can indicate the presence of this vulnerability.
- Use tshark to process PCAP files and watch for crashes: tshark -r suspicious_capture.pcap
- Capture RTSP traffic and filter for DESCRIBE requests with malformed URIs using a display filter like: rtsp.request.method == "DESCRIBE"
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to version 4.6.5 or later, where this vulnerability has been fixed.
Until the upgrade is applied, avoid opening untrusted or suspicious packet capture files that may contain malformed RTSP DESCRIBE requests designed to trigger the crash.
Additionally, be cautious about processing network traffic containing RTSP packets with unusual URIs, and consider restricting access to Wireshark or tshark to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6526 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.