CVE-2026-6528
TLS Protocol Infinite Loop in Wireshark 4.6.0 to 4.6.4
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-6528 is a vulnerability in Wireshark versions 4.6.0 to 4.6.4 related to the TLS protocol dissector. Specifically, it involves an infinite loop triggered during the processing of a malformed Encrypted Client Hello (ECH) extension in TLS traffic. When Wireshark processes a TLS ClientHello containing ECH with certain crafted data, the loop responsible for reconstructing the ECH transcript does not handle zero-length data properly, causing the loop condition to remain true indefinitely.
This infinite loop leads Wireshark or tshark to consume 100% CPU, effectively causing a denial of service. The issue arises when an attacker provides both a crafted packet capture (pcap) file and a corresponding keylog file to trigger the bug.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark or tshark to enter an infinite loop, resulting in 100% CPU usage and denial of service. This means that the affected software becomes unresponsive or unusable while processing specially crafted TLS traffic.
An attacker could exploit this by providing a crafted pcap file and keylog file, causing resource exhaustion on the system running Wireshark or tshark. This could disrupt network traffic analysis or monitoring activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing TLS traffic with Wireshark or tshark, specifically looking for TLS ClientHello messages containing Encrypted Client Hello (ECH) extensions. Detection involves observing if Wireshark or tshark enters an infinite loop or exhibits high CPU usage when processing such traffic.
To reproduce or detect the issue, an attacker can provide a crafted pcap file along with a corresponding keylog file that triggers the infinite loop during ECH transcript reconstruction.
While no specific commands are provided in the resources, using tshark or Wireshark to load suspicious TLS traffic with ECH and monitoring CPU usage or hangs can help identify the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading Wireshark to version 4.6.5 or later, where the vulnerability has been fixed.
Until the upgrade is applied, avoid processing untrusted or suspicious TLS traffic containing Encrypted Client Hello (ECH) extensions with affected Wireshark versions (4.6.0 to 4.6.4) to prevent denial of service due to infinite loops.