CVE-2026-6867
SMB2 Protocol Dissector Crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1325 | The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6867 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The vulnerability in Wireshark's SMB2 protocol dissector is a denial-of-service issue caused by improper handling of chained PATTERN_V1 compression segments.
The dissector processes each compression segment individually, checking that each segment's uncompressed size does not exceed 16MB, but it does not check the total size across all chained segments.
An attacker can craft a small packet containing multiple chained segments, each requesting large decompression sizes, which leads Wireshark to allocate excessive memory and eventually crash.
For example, a packet with 74 segments each requesting 1,000,000 bytes forces Wireshark to allocate about 70MB, and a single segment with the maximum repetitions can cause a 1.2GB allocation, resulting in denial of service.
How can this vulnerability impact me? :
This vulnerability can cause Wireshark to crash or consume excessive system resources when processing a specially crafted malicious packet or packet trace file.
An attacker could exploit this by tricking a user into opening a malicious packet capture file or by injecting a malformed packet during network capture.
The impact is a denial of service, which disrupts the normal operation of Wireshark and potentially affects the user's ability to analyze network traffic.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by specially crafted SMB2 packets containing multiple chained PATTERN_V1 compression segments that cause excessive memory allocation and crash Wireshark during packet processing.
Detection involves monitoring for unusual SMB2 packets with multiple chained compression segments requesting large decompression sizes.
Since the vulnerability manifests when Wireshark processes such packets, one way to detect it is to analyze captured SMB2 traffic for packets with multiple chained segments and large decompression requests.
No specific commands are provided in the available resources to detect this vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to version 4.6.5 or later, or 4.4.15 or later, where this vulnerability has been fixed.
Avoid opening untrusted or suspicious packet capture files that may contain malicious SMB2 packets designed to exploit this vulnerability.