CVE-2026-6532
Kismet Protocol Dissector Crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-126 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6532 vulnerability affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It is caused by a flaw in the Kismet protocol dissector, where processing a specially crafted packet can lead to a crash. Specifically, the dissector reads one byte beyond the end of a 2048-byte heap-allocated buffer, resulting in a heap-buffer-overflow read. This happens when the line length exactly matches the buffer size, causing the function format_text_internal() to access memory outside the allocated region.
An attacker could trigger this vulnerability by injecting a malicious packet or tricking a user into opening a corrupted packet trace file, causing Wireshark to crash.
The issue was discovered by Sharon Brizinov and has been confirmed using AddressSanitizer (ASAN) with a specially crafted pcap file. It is resolved by upgrading Wireshark to versions 4.6.5, 4.4.15, or later.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash unexpectedly when processing malicious or corrupted packets. This results in a denial of service (DoS) condition, where the application becomes unavailable or unstable.
An attacker could exploit this by sending a crafted packet to a system running a vulnerable version of Wireshark or by tricking a user into opening a malicious packet capture file, disrupting network analysis or monitoring activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the Kismet protocol dissector can be detected by analyzing network traffic or packet capture files for malformed packets sent to TCP port 2501, which trigger the heap-buffer-overflow.
One practical approach is to use an AddressSanitizer (ASAN)-enabled build of Wireshark to open suspicious pcap files or monitor traffic, as the vulnerability was confirmed using ASAN logs showing heap-buffer-overflow reads.
Specifically, monitoring or filtering packets on TCP port 2501 for unusual or malformed Kismet protocol packets could help identify attempts to exploit this issue.
- Use tcpdump or tshark to capture or filter packets on TCP port 2501: tcpdump -i <interface> tcp port 2501
- Open suspicious capture files with an ASAN-enabled Wireshark build to detect crashes or memory errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Wireshark to version 4.6.5, 4.4.15, or later, where this vulnerability has been fixed.
Until the upgrade can be applied, avoid opening untrusted or suspicious packet capture files that may contain malformed Kismet protocol packets.
Additionally, monitoring and filtering network traffic on TCP port 2501 to detect or block potentially malicious packets can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how the CVE-2026-6532 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.