CVE-2026-6869
WebSocket Protocol Dissector Crash in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1325 | The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6869 is a vulnerability in Wireshark's WebSocket protocol dissector that causes a denial-of-service (DoS) condition. The issue arises in the WebSocket decompression function where compressed frames are inflated without any limit on the decompressed output size. This allows a specially crafted compressed frame to consume excessive memory, leading to a crash of Wireshark.
- The vulnerability occurs in the `websocket_uncompress` function in `packet-websocket.c`.
- A single compressed frame can expand massively in memory (e.g., a 101KB compressed frame can expand to 100MB).
- This memory exhaustion causes Wireshark or tshark to abort due to allocation size errors.
- The attack requires a crafted pcap or live capture with an HTTP 101 upgrade negotiating the "permessage-deflate" extension followed by a compressed binary frame.
How can this vulnerability impact me? :
This vulnerability can impact users by causing Wireshark or tshark to crash or consume excessive system resources when processing maliciously crafted WebSocket traffic captures.
- An attacker can trigger a denial-of-service by injecting malformed packets or tricking a user into opening a malicious packet trace file.
- The crash results from excessive memory allocation attempts during decompression of crafted WebSocket frames.
- This can disrupt network analysis activities and potentially cause loss of data or interruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a denial-of-service issue triggered by a crafted compressed WebSocket frame in a pcap or live capture with an HTTP 101 upgrade negotiating the "permessage-deflate" extension followed by a single compressed binary frame.
Detection can focus on monitoring for unusual or malformed WebSocket traffic that includes HTTP 101 upgrade requests with the "permessage-deflate" extension and unusually large or suspicious compressed frames that could cause excessive memory allocation.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Wireshark to versions 4.6.5 or 4.4.15 or later, where the issue has been fixed.
Avoid opening untrusted or suspicious packet trace files that may contain malformed WebSocket frames exploiting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-6869 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.