CVE-2026-6536
DLMS/COSEM Protocol Infinite Loop in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6536 vulnerability is an infinite loop denial of service (DoS) issue in Wireshark's DLMS/COSEM protocol dissector affecting versions 4.6.0 to 4.6.4.
Specifically, when Wireshark processes a specially crafted UDP packet on port 4059, the function responsible for dissecting DLMS/COSEM data enters an infinite loop. This happens because the code does not properly handle a compact array with a zero-element structure type, causing the offset pointer to never advance and the loop to never exit.
As a result, Wireshark or tshark consumes 100% CPU indefinitely until manually terminated.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark or tshark to enter an infinite loop and consume 100% CPU, leading to a denial of service condition.
If you use Wireshark to analyze network traffic, an attacker could send a crafted UDP packet that triggers this infinite loop, causing your analysis tool to become unresponsive and requiring manual termination.
This can disrupt network monitoring, troubleshooting, or forensic activities that rely on Wireshark.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring Wireshark or tshark behavior when processing DLMS/COSEM protocol packets, specifically crafted UDP packets of 63 bytes on port 4059.
If tshark or Wireshark enters an infinite loop and consumes 100% CPU indefinitely, this indicates the presence of the vulnerability.
To reproduce or detect the issue, you can use sample files or scripts that send crafted UDP packets to port 4059 and observe if Wireshark/tshark hangs.
- Use tshark to capture or read packets on UDP port 4059: tshark -f "udp port 4059"
- Monitor CPU usage of tshark or Wireshark processes during analysis to detect infinite loop behavior.
- If tshark hangs, manually terminate it using: kill -9 <pid>
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves avoiding the use of vulnerable Wireshark versions (4.6.0 to 4.6.4) when analyzing DLMS/COSEM protocol traffic on UDP port 4059.
If analysis is necessary, consider upgrading Wireshark to version 4.6.4 or later where the issue is fixed.
As a temporary workaround, avoid opening or processing captured packets containing DLMS/COSEM traffic on UDP port 4059 with vulnerable Wireshark versions.
Monitor and manually terminate any Wireshark or tshark processes that enter an infinite loop to prevent resource exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6536 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.