CVE-2026-6527
ASN.1 PER Protocol Dissector Crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6527 vulnerability in Wireshark is caused by a crash in the ASN.1 PER protocol dissector, which is responsible for decoding ASN.1 PER-encoded data.
This crash occurs due to a lack of recursion depth limits in certain functions of the PER dissector, allowing a maliciously crafted packet to cause unbounded recursion and ultimately a stack overflow.
The vulnerability affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 and can be triggered by sending a malformed packet over the network or by opening a malicious packet trace file.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash due to a denial of service triggered by a stack overflow.
An attacker could exploit this by sending a specially crafted packet or providing a malicious packet capture file, causing the application to terminate unexpectedly.
While there are currently no known exploits in the wild, the impact is a loss of availability of the Wireshark application during analysis or network monitoring.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in Wireshark is triggered by malformed ASN.1 PER-encoded packets that cause the ASN.1 PER dissector to crash. Detection involves identifying such malformed packets or suspicious packet traces that cause crashes.
One practical approach is to analyze network traffic or packet capture files with Wireshark versions 4.6.0 to 4.6.4 or 4.4.0 to 4.4.14 and observe if the application crashes when opening or dissecting certain packets.
Additionally, using the proof-of-concept capture file (ngap_per_recursion.pcap) mentioned in Resource 2 can help reproduce the issue in a controlled environment.
For command-line detection, running TShark (the command-line version of Wireshark) on suspicious capture files may reveal crashes or stack overflow errors, especially if compiled with AddressSanitizer (ASAN) for enhanced detection of memory errors.
- Use TShark to analyze a capture file: tshark -r suspicious_capture.pcap
- Test with the proof-of-concept file: tshark -r ngap_per_recursion.pcap (to observe crash behavior)
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6527 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.
- Upgrade Wireshark to version 4.6.5 or later if you are using the 4.6.x series.
- Upgrade Wireshark to version 4.4.15 or later if you are using the 4.4.x series.
Avoid opening untrusted or suspicious packet capture files that could trigger the ASN.1 PER dissector crash.