CVE-2026-5403
SBC Codec Crash in Wireshark Allows DoS and Code Execution
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.15 (exc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5403 is a heap buffer overflow vulnerability in the SBC audio codec plugin of Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The issue occurs because the codec's decoding function does not properly manage the size of its output buffer when processing multiple SBC frames, allowing the decoded output to exceed the allocated buffer size.
This happens in the function responsible for decoding SBC audio frames, where counters tracking remaining input and output space are not decremented correctly during multi-frame decoding. As a result, when processing RTP packets with more than about 256 SBC frames, the output buffer overflows, potentially leading to a crash or arbitrary code execution.
Exploitation requires user interaction, such as opening a specially crafted packet capture file in Wireshark or using its JSON-RPC interface. Systems without the required SBC codec library are not affected.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service by crashing Wireshark when processing maliciously crafted packet capture files.
More severely, it may allow an attacker to execute arbitrary code on the affected system if a user opens a malicious file, potentially compromising system security.
The attack vector requires user interaction and the presence of the SBC codec plugin, limiting remote exploitation but still posing a significant risk especially in environments where untrusted packet captures are analyzed.
Cloud-based deployments of Wireshark that automatically process untrusted files may face higher exposure to this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing packet capture files (pcapng) for the presence of malformed or crafted SBC audio codec frames that trigger the heap buffer overflow in Wireshark.
Specifically, proof-of-concept files with more than approximately 256 SBC frames (e.g., 400 SBC frames) can be used to reproduce the issue.
Detection involves opening suspicious packet trace files in Wireshark or using sharkd's JSON-RPC interface to process them, observing for crashes or abnormal behavior.
While no explicit commands are provided, users can use Wireshark or related tools to load and analyze pcapng files, and potentially use available PoC files or generators to test for the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Wireshark to versions 4.6.5 or 4.4.15 or later, where the vulnerability has been fixed.
Avoid opening untrusted or suspicious packet trace files, especially those containing SBC audio codec data, to prevent triggering the vulnerability.
If using Cloudshark or similar services that process untrusted files, ensure they are updated or have protections in place to handle this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-5403 on compliance with common standards and regulations such as GDPR or HIPAA.