CVE-2026-6530
DCP-ETSI Protocol Dissector DoS in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6530 is a vulnerability in the DCP-ETSI protocol dissector of Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It is caused by improper handling of malformed packets, specifically a heap buffer overflow in the rs_deinterleave function where Reed-Solomon correction writes beyond the allocated buffer size.
This overflow happens because the loop writes more bytes than the buffer can hold, leading to a heap-based buffer overflow that can cause Wireshark to crash.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker to cause a denial of service by crashing Wireshark when it processes a specially crafted malformed packet or malicious packet trace file.
Additionally, because it is a heap buffer overflow, there is potential for arbitrary code execution, which could lead to further compromise of the system running Wireshark.
Users who open malicious packet capture files without upgrading to patched versions risk having their Wireshark application crash or potentially being exploited for code execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by malformed DCP-ETSI protocol packets that cause Wireshark to crash when dissecting them.
Detection can involve monitoring for crashes or heap-buffer-overflow errors in Wireshark when opening packet capture files containing DCP-ETSI traffic.
A practical approach is to analyze network captures for suspicious or malformed DCP-ETSI packets that could trigger the vulnerability.
Since the vulnerability is in the rs_deinterleave function of the DCP-ETSI dissector, using Wireshark with AddressSanitizer enabled can help detect heap buffer overflows by opening suspect capture files.
No specific commands are provided in the resources, but you can use Wireshark or tshark to open and analyze capture files, for example:
- tshark -r suspicious_capture.pcap -d dcp-etsi
- Running Wireshark with debugging or sanitizers enabled to catch crashes when opening captures containing DCP-ETSI packets.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to a fixed version.
- Upgrade to Wireshark version 4.6.5 or later if you are using the 4.6.x series.
- Upgrade to Wireshark version 4.4.15 or later if you are using the 4.4.x series.
Avoid opening untrusted or suspicious packet capture files containing DCP-ETSI traffic until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.