CVE-2026-6532
Received Received - Intake
Kismet Protocol Dissector Crash in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6532
EUVD
EUVD-2026-26339
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-6532 vulnerability affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It is caused by a flaw in the Kismet protocol dissector, where processing a specially crafted packet can lead to a crash. Specifically, the dissector reads one byte beyond the end of a 2048-byte heap-allocated buffer, resulting in a heap-buffer-overflow read. This happens when the line length exactly matches the buffer size, causing the function format_text_internal() to access memory outside the allocated region.

An attacker could trigger this vulnerability by injecting a malicious packet or tricking a user into opening a corrupted packet trace file, causing Wireshark to crash.

The issue was discovered by Sharon Brizinov and has been confirmed using AddressSanitizer (ASAN) with a specially crafted pcap file. It is resolved by upgrading Wireshark to versions 4.6.5, 4.4.15, or later.

Impact Analysis

This vulnerability can cause Wireshark to crash unexpectedly when processing malicious or corrupted packets. This results in a denial of service (DoS) condition, where the application becomes unavailable or unstable.

An attacker could exploit this by sending a crafted packet to a system running a vulnerable version of Wireshark or by tricking a user into opening a malicious packet capture file, disrupting network analysis or monitoring activities.

Detection Guidance

The vulnerability in the Kismet protocol dissector can be detected by analyzing network traffic or packet capture files for malformed packets sent to TCP port 2501, which trigger the heap-buffer-overflow.

One practical approach is to use an AddressSanitizer (ASAN)-enabled build of Wireshark to open suspicious pcap files or monitor traffic, as the vulnerability was confirmed using ASAN logs showing heap-buffer-overflow reads.

Specifically, monitoring or filtering packets on TCP port 2501 for unusual or malformed Kismet protocol packets could help identify attempts to exploit this issue.

  • Use tcpdump or tshark to capture or filter packets on TCP port 2501: tcpdump -i <interface> tcp port 2501
  • Open suspicious capture files with an ASAN-enabled Wireshark build to detect crashes or memory errors.
Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Wireshark to version 4.6.5, 4.4.15, or later, where this vulnerability has been fixed.

Until the upgrade can be applied, avoid opening untrusted or suspicious packet capture files that may contain malformed Kismet protocol packets.

Additionally, monitoring and filtering network traffic on TCP port 2501 to detect or block potentially malicious packets can reduce the risk of exploitation.

Compliance Impact

There is no information provided in the available context or resources about how the CVE-2026-6532 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6532. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart