CVE-2026-6537
ZigBee Protocol Dissector Crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6537 is a stack buffer overflow vulnerability in Wireshark's ZigBee Direct dissector. It occurs because the function handling decryption allocates a fixed-size buffer but does not validate the length of the input data before decrypting it. This allows an attacker to supply specially crafted data that exceeds the buffer size, causing a stack overflow.
The vulnerability can be triggered by opening a maliciously crafted pcap file, which leads to a crash or arbitrary memory corruption. The attacker can control the overflow data due to knowledge of the encryption keystream.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash (denial of service) when processing malicious ZigBee protocol data. In some cases, it may lead to arbitrary memory corruption, which could potentially be exploited for further attacks.
Users who open specially crafted packet capture files may experience application crashes, disrupting network analysis activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to process potentially malicious ZigBee packet capture files using Wireshark or tshark. Specifically, running tshark on a crafted pcap file that triggers the vulnerability can reproduce the crash.
- Use the command `tshark -r <malicious_pcap_file>` to test if the vulnerability can be triggered, as the crash occurs when processing malformed ZigBee packets.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to a fixed version that addresses this vulnerability.
- Upgrade to Wireshark version 4.6.5, 4.4.15, or later.
Avoid opening untrusted or malformed ZigBee packet capture files until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.