CVE-2026-6537
Received Received - Intake

ZigBee Protocol Dissector Crash in Wireshark

Vulnerability report for CVE-2026-6537, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description

ZigBee protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-07-06
AI Q&A
2026-04-30
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-6537 is a stack buffer overflow vulnerability in Wireshark's ZigBee Direct dissector. It occurs because the function handling decryption allocates a fixed-size buffer but does not validate the length of the input data before decrypting it. This allows an attacker to supply specially crafted data that exceeds the buffer size, causing a stack overflow.

The vulnerability can be triggered by opening a maliciously crafted pcap file, which leads to a crash or arbitrary memory corruption. The attacker can control the overflow data due to knowledge of the encryption keystream.

Impact Analysis

This vulnerability can cause Wireshark to crash (denial of service) when processing malicious ZigBee protocol data. In some cases, it may lead to arbitrary memory corruption, which could potentially be exploited for further attacks.

Users who open specially crafted packet capture files may experience application crashes, disrupting network analysis activities.

Detection Guidance

This vulnerability can be detected by attempting to process potentially malicious ZigBee packet capture files using Wireshark or tshark. Specifically, running tshark on a crafted pcap file that triggers the vulnerability can reproduce the crash.

  • Use the command `tshark -r <malicious_pcap_file>` to test if the vulnerability can be triggered, as the crash occurs when processing malformed ZigBee packets.
Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.

  • Upgrade to Wireshark version 4.6.5, 4.4.15, or later.

Avoid opening untrusted or malformed ZigBee packet capture files until the upgrade is applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart