CVE-2026-6533
Dissection engine LZ77 decompression crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1325 | The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6533 vulnerability is a flaw in Wireshark's dissection engine, specifically in the LZ77 decompression component used for SMB2 compressed data. It affects Wireshark versions 4.6.0 to 4.6.4 and 4.4.9 to 4.4.14.
The issue occurs because the decompressor does not enforce an output size limit when decompressing data. A maliciously crafted packet can contain a small compressed payload that requests an extremely large decompressed output size by using a single back-reference with a very large match length. This causes the decompressor to enter an infinite loop or attempt to copy an unbounded amount of data, leading to a crash or denial of service.
An attacker can exploit this by sending a malformed packet or tricking a user into opening a malicious packet trace file, causing Wireshark or TShark to hang or crash.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by crashing Wireshark or causing it to consume excessive CPU resources. This can disrupt network analysis activities and potentially impact incident response or troubleshooting processes.
If you open a maliciously crafted packet trace file or receive a malformed packet, your Wireshark application may hang or crash, leading to loss of data visibility or interruption of monitoring tasks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if Wireshark or TShark processes a specially crafted PCAP file that triggers the LZ77 decompression crash or causes the application to hang.
Specifically, processing a malicious SMB2 Compression Transform Header with an LZ77 payload in a packet capture file may cause Wireshark or TShark to crash or hang.
To detect this on your system, you can monitor for crashes or hangs of Wireshark/TShark when opening or analyzing PCAP files, especially those containing SMB2 compressed packets.
While no explicit commands are provided in the resources, you can use TShark (the command-line version of Wireshark) to process suspicious PCAP files and observe if it crashes or hangs, for example:
- tshark -r suspicious_capture.pcap
If TShark or Wireshark crashes or becomes unresponsive during this operation, it may indicate the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.
- Upgrade to Wireshark version 4.6.5, 4.4.15, or later.
This update includes fixes that enforce output size limits in the LZ77 decompressor to prevent unbounded memory consumption and crashes.
Until the upgrade is applied, avoid opening or processing untrusted or suspicious packet capture files that may contain malformed SMB2 compressed packets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6533 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.