CVE-2022-3190 Overview
CVE-2022-3190 is a denial of service vulnerability affecting Wireshark, the widely-used network protocol analyzer. The vulnerability exists in the F5 Ethernet Trailer protocol dissector, where an infinite loop condition can be triggered when processing specially crafted network packets or capture files. This allows attackers to cause a denial of service through packet injection on monitored networks or by convincing users to open malicious capture files.
Critical Impact
Attackers can crash or hang Wireshark installations by sending crafted packets to monitored network segments or distributing malicious PCAP files, disrupting network analysis operations and potentially impacting security monitoring capabilities.
Affected Products
- Wireshark versions 3.6.0 to 3.6.7
- Wireshark versions 3.4.0 to 3.4.15
- Fedora 36 and Fedora 37 (via bundled Wireshark packages)
Discovery Timeline
- 2022-09-13 - CVE-2022-3190 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-3190
Vulnerability Analysis
This vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop. The F5 Ethernet Trailer protocol dissector in Wireshark fails to properly handle certain malformed packet structures, resulting in a loop condition that never terminates. When Wireshark processes a crafted packet containing the trigger condition, the application becomes unresponsive and consumes CPU resources indefinitely.
The attack requires local access, meaning an attacker must either inject packets into a network being monitored by Wireshark or convince a user to open a malicious capture file. User interaction is required, as the victim must actively be capturing traffic or open a file for the vulnerability to be triggered. The impact is limited to availability—there is no confidentiality or integrity impact, but the application will become completely unresponsive.
Root Cause
The root cause lies in improper loop termination logic within the F5 Ethernet Trailer protocol dissector. The dissector code fails to properly validate packet field values that control loop iteration, allowing an attacker to craft packets that cause the loop counter or exit condition to never be satisfied. This results in the dissector function never returning, effectively hanging the Wireshark process.
Attack Vector
The attack can be executed through two primary vectors:
Packet Injection: An attacker with the ability to inject packets into a network segment being monitored by Wireshark can send crafted F5 Ethernet Trailer packets that trigger the infinite loop when dissected.
Malicious Capture File: An attacker can distribute a crafted PCAP or PCAPNG file containing the malicious packet. When a user opens this file in Wireshark, the infinite loop is triggered during packet dissection.
The vulnerability is triggered during the dissection phase when Wireshark parses the F5 Ethernet Trailer protocol fields. The malformed structure causes the dissector to enter an infinite loop, consuming 100% of a CPU core and rendering the application unresponsive. Users must force-close the application to recover.
Detection Methods for CVE-2022-3190
Indicators of Compromise
- Wireshark processes consuming 100% CPU for extended periods without progress
- Wireshark application becoming unresponsive when opening specific capture files
- Network capture files with unusual F5 Ethernet Trailer protocol structures
- Unresponsive Wireshark sessions coinciding with specific traffic patterns on monitored networks
Detection Strategies
- Monitor for Wireshark processes with abnormally high CPU utilization that persists beyond normal analysis operations
- Implement file integrity monitoring on capture files received from external sources before opening in Wireshark
- Deploy endpoint detection to identify hung Wireshark processes as potential exploitation indicators
- Audit network traffic for unusual F5 Ethernet Trailer protocol packets that may indicate injection attempts
Monitoring Recommendations
- Enable process monitoring to detect Wireshark instances that exceed CPU usage thresholds for extended durations
- Implement centralized logging for security analysis tools to identify patterns of unexpected crashes or hangs
- Monitor file downloads and email attachments for PCAP/PCAPNG files from untrusted sources
How to Mitigate CVE-2022-3190
Immediate Actions Required
- Upgrade Wireshark to version 3.6.8 or later (for 3.6.x branch) or version 3.4.16 or later (for 3.4.x branch)
- Avoid opening capture files from untrusted or unknown sources until patched
- Consider disabling the F5 Ethernet Trailer protocol dissector if not required for your analysis work
- Update Fedora systems using the official package updates for Fedora 36 and 37
Patch Information
The Wireshark development team has addressed this vulnerability in subsequent releases. Security advisory details are available in the Wireshark Security Advisory 2022-06. Technical details about the bug fix can be found in the GitLab Wireshark Issue #18307.
Linux distribution users should apply updates through their package managers:
- Fedora: Updates are available via the Fedora Package Announcement
- Debian: Security updates are documented in the Debian LTS Announcement September 2024
Workarounds
- Disable the F5 Ethernet Trailer dissector via Analyze → Enabled Protocols menu in Wireshark
- Use TShark with protocol filters to exclude F5 Ethernet Trailer processing when analyzing untrusted captures
- Run Wireshark in a sandboxed environment or virtual machine when analyzing capture files from untrusted sources
- Implement network segmentation to prevent attackers from injecting packets into monitored network segments
# Disable F5 Ethernet Trailer dissector via command line
wireshark -o "f5ethtrailer.enable:FALSE" capture_file.pcap
# Alternative: Use editcap to filter out F5 trailer frames before analysis
editcap -T ether input.pcap output.pcap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
