CVE-2026-6867
Received Received - Intake
SMB2 Protocol Dissector Crash in Wireshark

Publication date: 2026-04-30

Last updated on: 2026-05-01

Assigner: GitLab Inc.

Description
SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6867
EUVD
EUVD-2026-26346
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.14 (inc)
wireshark wireshark From 4.6.0 (inc) to 4.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1325 The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Wireshark's SMB2 protocol dissector is a denial-of-service issue caused by improper handling of chained PATTERN_V1 compression segments.

The dissector processes each compression segment individually, checking that each segment's uncompressed size does not exceed 16MB, but it does not check the total size across all chained segments.

An attacker can craft a small packet containing multiple chained segments, each requesting large decompression sizes, which leads Wireshark to allocate excessive memory and eventually crash.

For example, a packet with 74 segments each requesting 1,000,000 bytes forces Wireshark to allocate about 70MB, and a single segment with the maximum repetitions can cause a 1.2GB allocation, resulting in denial of service.

Impact Analysis

This vulnerability can cause Wireshark to crash or consume excessive system resources when processing a specially crafted malicious packet or packet trace file.

An attacker could exploit this by tricking a user into opening a malicious packet capture file or by injecting a malformed packet during network capture.

The impact is a denial of service, which disrupts the normal operation of Wireshark and potentially affects the user's ability to analyze network traffic.

Detection Guidance

This vulnerability is triggered by specially crafted SMB2 packets containing multiple chained PATTERN_V1 compression segments that cause excessive memory allocation and crash Wireshark during packet processing.

Detection involves monitoring for unusual SMB2 packets with multiple chained compression segments requesting large decompression sizes.

Since the vulnerability manifests when Wireshark processes such packets, one way to detect it is to analyze captured SMB2 traffic for packets with multiple chained segments and large decompression requests.

No specific commands are provided in the available resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade Wireshark to version 4.6.5 or later, or 4.4.15 or later, where this vulnerability has been fixed.

Avoid opening untrusted or suspicious packet capture files that may contain malicious SMB2 packets designed to exploit this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-6867 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart