CVE-2026-6538
BEEP Protocol Dissector DoS in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Wireshark affects the BEEP protocol dissector in versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. It is caused by improper handling of malformed packets, which can lead to a crash of the Wireshark application.
Specifically, the dissect_beep_tree() function can be called recursively without proper depth limiting, causing a stack overflow. A specially crafted network packet can trigger this unguarded recursion, accumulating over 200 stack frames until the operating system terminates the process with a segmentation fault (SIGSEGV).
An attacker can exploit this by sending a malformed packet over the network or by tricking a user into opening a malicious packet trace file, causing Wireshark or tshark to crash.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing Wireshark or tshark when processing maliciously crafted packets or files.
If you rely on Wireshark for network analysis or troubleshooting, an attacker could disrupt your ability to monitor or analyze network traffic by exploiting this flaw.
However, there is no indication that this vulnerability allows for code execution or data compromise, only that it causes the application to crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the BEEP dissector in Wireshark crashing due to malformed packets or malicious packet trace files. Detection involves monitoring for crashes or abnormal termination of Wireshark or tshark when processing BEEP protocol traffic or files.
Specifically, crafted TCP traffic on a BEEP port or specially crafted PCAP files can trigger the issue.
While no explicit detection commands are provided, you can monitor for crashes by running tshark or Wireshark on captured traffic containing BEEP protocol packets.
- Use tshark to capture and analyze BEEP traffic: tshark -f "tcp port <BEEP_port>" -Y beep
- Check logs or crash reports for Wireshark or tshark crashes related to BEEP dissector.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to a fixed version.
- Upgrade Wireshark to version 4.6.5, 4.4.15, or later.
- Avoid opening untrusted or suspicious packet trace files that may contain malformed BEEP packets.
- Be cautious when capturing live traffic on BEEP ports, as specially crafted packets can trigger the crash.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.