CVE-2026-6536
Received Received - Intake
DLMS/COSEM Protocol Infinite Loop in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6536
EUVD
EUVD-2026-26343
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-6536 vulnerability is an infinite loop denial of service (DoS) issue in Wireshark's DLMS/COSEM protocol dissector affecting versions 4.6.0 to 4.6.4.

Specifically, when Wireshark processes a specially crafted UDP packet on port 4059, the function responsible for dissecting DLMS/COSEM data enters an infinite loop. This happens because the code does not properly handle a compact array with a zero-element structure type, causing the offset pointer to never advance and the loop to never exit.

As a result, Wireshark or tshark consumes 100% CPU indefinitely until manually terminated.

Impact Analysis

This vulnerability can cause Wireshark or tshark to enter an infinite loop and consume 100% CPU, leading to a denial of service condition.

If you use Wireshark to analyze network traffic, an attacker could send a crafted UDP packet that triggers this infinite loop, causing your analysis tool to become unresponsive and requiring manual termination.

This can disrupt network monitoring, troubleshooting, or forensic activities that rely on Wireshark.

Detection Guidance

This vulnerability can be detected by monitoring Wireshark or tshark behavior when processing DLMS/COSEM protocol packets, specifically crafted UDP packets of 63 bytes on port 4059.

If tshark or Wireshark enters an infinite loop and consumes 100% CPU indefinitely, this indicates the presence of the vulnerability.

To reproduce or detect the issue, you can use sample files or scripts that send crafted UDP packets to port 4059 and observe if Wireshark/tshark hangs.

  • Use tshark to capture or read packets on UDP port 4059: tshark -f "udp port 4059"
  • Monitor CPU usage of tshark or Wireshark processes during analysis to detect infinite loop behavior.
  • If tshark hangs, manually terminate it using: kill -9 <pid>
Mitigation Strategies

Immediate mitigation involves avoiding the use of vulnerable Wireshark versions (4.6.0 to 4.6.4) when analyzing DLMS/COSEM protocol traffic on UDP port 4059.

If analysis is necessary, consider upgrading Wireshark to version 4.6.4 or later where the issue is fixed.

As a temporary workaround, avoid opening or processing captured packets containing DLMS/COSEM traffic on UDP port 4059 with vulnerable Wireshark versions.

Monitor and manually terminate any Wireshark or tshark processes that enter an infinite loop to prevent resource exhaustion.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-6536 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart