CVE-2026-9759
Analyzed Analyzed - Analysis Complete
ROHC Protocol Dissector Crash in Wireshark

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitLab Inc.

Description
ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-9759
EUVD
EUVD-2026-32629
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wireshark wireshark From 4.4.0 (inc) to 4.4.16 (exc)
wireshark wireshark From 4.6.0 (inc) to 4.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-9759 vulnerability in Wireshark is a heap corruption issue in the ROHC (Robust Header Compression) protocol dissector. It occurs when using the uncompressed profile with large CID enabled, and a packet ends exactly at the CID field. In this case, the dissector incorrectly allocates a zero-sized buffer, leading to a NULL pointer dereference when it tries to write data to this buffer. Additionally, an integer underflow causes a second memory copy operation to attempt an invalid large size, which fails with an exception. This flaw can cause Wireshark to crash.

The issue requires a multi-packet sequence to establish the ROHC context with large CIDs, typically via GTP-U or PPP transport. It affects Wireshark versions 4.4, 4.6, and some out-of-support versions.

Impact Analysis

This vulnerability can allow an attacker to cause a denial of service by crashing Wireshark. An attacker could exploit this by injecting a malformed packet or tricking a user into opening a malicious packet trace file, causing Wireshark to crash and potentially disrupting network analysis or monitoring activities.

Detection Guidance

This vulnerability involves the ROHC protocol dissector in Wireshark crashing when processing malformed packets with specific ROHC context conditions (large CID enabled and packets ending exactly at the CID field). Detection involves monitoring for crashes or abnormal behavior in Wireshark when analyzing ROHC traffic, especially GTP-U or PPP transport packets.

Since the issue arises from malformed or crafted packets, you can detect potential exploitation attempts by capturing and inspecting ROHC packets with large CID enabled and verifying if any packets end exactly at the CID field.

There are no explicit commands provided in the resources, but you can use Wireshark or tshark to filter ROHC packets and analyze their CID fields. For example, using tshark with a filter for ROHC packets:

  • tshark -Y "rohc" -r capture.pcap
  • Then manually inspect packets where the packet length equals the CID field length or use custom scripts to detect such conditions.

Monitoring Wireshark logs or crash reports for repeated crashes related to ROHC dissector can also help detect this vulnerability being triggered.

Mitigation Strategies

The primary mitigation step is to upgrade Wireshark to a fixed version where this vulnerability is resolved.

  • Upgrade to Wireshark version 4.6.6 or later if you are using 4.6.0 to 4.6.5.
  • Upgrade to Wireshark version 4.4.16 or later if you are using 4.4.0 to 4.4.15.

Until the upgrade is applied, avoid opening untrusted packet capture files that may contain malformed ROHC packets, and monitor for any crashes or abnormal behavior in Wireshark related to ROHC dissector.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-9759 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart