CVE-2026-6537
Received Received - Intake
ZigBee Protocol Dissector Crash in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
ZigBee protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6537
EUVD
EUVD-2026-26344
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-6537 is a stack buffer overflow vulnerability in Wireshark's ZigBee Direct dissector. It occurs because the function handling decryption allocates a fixed-size buffer but does not validate the length of the input data before decrypting it. This allows an attacker to supply specially crafted data that exceeds the buffer size, causing a stack overflow.

The vulnerability can be triggered by opening a maliciously crafted pcap file, which leads to a crash or arbitrary memory corruption. The attacker can control the overflow data due to knowledge of the encryption keystream.

Impact Analysis

This vulnerability can cause Wireshark to crash (denial of service) when processing malicious ZigBee protocol data. In some cases, it may lead to arbitrary memory corruption, which could potentially be exploited for further attacks.

Users who open specially crafted packet capture files may experience application crashes, disrupting network analysis activities.

Detection Guidance

This vulnerability can be detected by attempting to process potentially malicious ZigBee packet capture files using Wireshark or tshark. Specifically, running tshark on a crafted pcap file that triggers the vulnerability can reproduce the crash.

  • Use the command `tshark -r <malicious_pcap_file>` to test if the vulnerability can be triggered, as the crash occurs when processing malformed ZigBee packets.
Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.

  • Upgrade to Wireshark version 4.6.5, 4.4.15, or later.

Avoid opening untrusted or malformed ZigBee packet capture files until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart