CVE-2026-6529
iLBC Codec Crash in Wireshark Allows DoS
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-6529 is a heap buffer overflow in Wireshark's iLBC codec decoder. It happens when Wireshark processes multi-frame iLBC RTP packets but incorrectly estimates the output buffer size based on a single frame, regardless of how many frames are actually in the packet.
Because of this miscalculation, when multiple frames are present, the decoder writes more data than the buffer can hold, causing a heap overflow. For example, a payload with two iLBC frames can cause the decoder to write 640 bytes into a 320-byte buffer, leading to memory corruption.
This overflow occurs in the WebRtcIlbcfix_Decode function and can cause Wireshark to crash or potentially allow arbitrary code execution. The issue can be triggered by loading a specially crafted pcap file containing multi-frame iLBC RTP packets.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing Wireshark when it processes specially crafted iLBC RTP packets.
Additionally, because the heap overflow leads to memory corruption, there is a potential risk of arbitrary code execution, which could allow an attacker to execute malicious code on the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing network traffic for specially crafted multi-frame iLBC RTP packets that trigger the heap buffer overflow in Wireshark's iLBC codec decoder.
To detect the issue, you can load a pcap file containing multi-frame iLBC RTP packets into Wireshark and use the Telephony -> RTP menu to analyze the RTP streams.
The crash is reproducible when Wireshark is compiled with AddressSanitizer (ASAN), which can help identify the heap overflow during decoding.
- Use Wireshark with ASAN enabled to open suspicious pcap files containing iLBC RTP packets.
- Inspect RTP streams via Wireshark's Telephony -> RTP menu for multi-frame iLBC packets.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to a fixed version, specifically version 4.6.5 or later, or 4.4.15 or later.
Avoid opening or processing untrusted pcap files containing iLBC RTP packets until the update is applied.
If upgrading is not immediately possible, consider disabling or restricting the use of the iLBC codec decoding in Wireshark to prevent triggering the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6529 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.