CVE-2026-9759
ROHC Protocol Dissector Crash in Wireshark
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.5 (inc) |
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-9759 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The CVE-2026-9759 vulnerability in Wireshark is a heap corruption issue in the ROHC (Robust Header Compression) protocol dissector. It occurs when using the uncompressed profile with large CID enabled, and a packet ends exactly at the CID field. In this case, the dissector incorrectly allocates a zero-sized buffer, leading to a NULL pointer dereference when it tries to write data to this buffer. Additionally, an integer underflow causes a second memory copy operation to attempt an invalid large size, which fails with an exception. This flaw can cause Wireshark to crash.
The issue requires a multi-packet sequence to establish the ROHC context with large CIDs, typically via GTP-U or PPP transport. It affects Wireshark versions 4.4, 4.6, and some out-of-support versions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to cause a denial of service by crashing Wireshark. An attacker could exploit this by injecting a malformed packet or tricking a user into opening a malicious packet trace file, causing Wireshark to crash and potentially disrupting network analysis or monitoring activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ROHC protocol dissector in Wireshark crashing when processing malformed packets with specific ROHC context conditions (large CID enabled and packets ending exactly at the CID field). Detection involves monitoring for crashes or abnormal behavior in Wireshark when analyzing ROHC traffic, especially GTP-U or PPP transport packets.
Since the issue arises from malformed or crafted packets, you can detect potential exploitation attempts by capturing and inspecting ROHC packets with large CID enabled and verifying if any packets end exactly at the CID field.
There are no explicit commands provided in the resources, but you can use Wireshark or tshark to filter ROHC packets and analyze their CID fields. For example, using tshark with a filter for ROHC packets:
- tshark -Y "rohc" -r capture.pcap
- Then manually inspect packets where the packet length equals the CID field length or use custom scripts to detect such conditions.
Monitoring Wireshark logs or crash reports for repeated crashes related to ROHC dissector can also help detect this vulnerability being triggered.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wireshark to a fixed version where this vulnerability is resolved.
- Upgrade to Wireshark version 4.6.6 or later if you are using 4.6.0 to 4.6.5.
- Upgrade to Wireshark version 4.4.16 or later if you are using 4.4.0 to 4.4.15.
Until the upgrade is applied, avoid opening untrusted packet capture files that may contain malformed ROHC packets, and monitor for any crashes or abnormal behavior in Wireshark related to ROHC dissector.