CVE-2026-6526
Received Received - Intake
RTSP Protocol Dissector Crash in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
RTSP protocol dissector crash in Wireshark 4.6.0 to 4.6.4
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6526
EUVD
EUVD-2026-26333
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause Wireshark to crash when processing specially crafted malformed RTSP packets or malicious packet capture files. The impact is primarily a denial-of-service (DoS), where the application becomes unavailable or unstable due to the crash.

An attacker could exploit this by injecting malformed packets into the network or tricking a user into opening a malicious packet trace file, causing Wireshark to crash and potentially disrupting network analysis or monitoring activities.

Executive Summary

CVE-2026-6526 is a vulnerability in Wireshark versions 4.6.0 to 4.6.4 affecting the RTSP protocol dissector. It is caused by a NULL pointer dereference triggered by a malformed RTSP DESCRIBE request containing a URL with a question mark before the protocol separator (e.g., "?://x"). This malformed URL causes a function to return NULL, leading to a crash when the program tries to access memory at that NULL pointer.

The crash happens during HTTP header parsing in the dissect_http function, specifically in the determine_http_location_target routine. This can be triggered by opening a malicious PCAP file or processing it with tshark, resulting in a segmentation fault and denial-of-service condition.

Detection Guidance

This vulnerability can be detected by monitoring for malformed RTSP DESCRIBE requests containing a URI with a question mark before the protocol separator, such as "?://x". Such packets may cause Wireshark to crash when dissecting the RTSP protocol.

One way to detect this is by capturing network traffic and inspecting RTSP DESCRIBE requests for suspicious URIs matching the pattern "?://" before the protocol separator.

Additionally, processing packet capture files with tshark or Wireshark and observing for crashes or segmentation faults can indicate the presence of this vulnerability.

  • Use tshark to process PCAP files and watch for crashes: tshark -r suspicious_capture.pcap
  • Capture RTSP traffic and filter for DESCRIBE requests with malformed URIs using a display filter like: rtsp.request.method == "DESCRIBE"
Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to version 4.6.5 or later, where this vulnerability has been fixed.

Until the upgrade is applied, avoid opening untrusted or suspicious packet capture files that may contain malformed RTSP DESCRIBE requests designed to trigger the crash.

Additionally, be cautious about processing network traffic containing RTSP packets with unusual URIs, and consider restricting access to Wireshark or tshark to trusted users only.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-6526 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart