Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-0211

CVE-2024-0211: Wireshark DOCSIS Dissector DoS Vulnerability

CVE-2024-0211 is a denial of service flaw in Wireshark's DOCSIS dissector that allows attackers to crash the application via packet injection or crafted capture files. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2024-0211 Overview

CVE-2024-0211 is a denial of service vulnerability in the Data Over Cable Service Interface Specification (DOCSIS) dissector of Wireshark 4.2.0. An attacker can crash the application by injecting malformed packets on a monitored network segment or by tricking an analyst into opening a crafted capture file. The flaw is tracked under [CWE-835] (Loop with Unreachable Exit Condition). Wireshark is widely deployed on analyst workstations, incident response laptops, and network monitoring infrastructure, making the dissector attack surface relevant to defenders. The issue was disclosed in the Wireshark Security Advisory wnpa-sec-2024-05 and tracked in the GitLab Issue Report.

Critical Impact

Network-reachable attackers can crash Wireshark and TShark instances by sending or supplying malformed DOCSIS packets, disrupting packet capture and live network monitoring operations.

Affected Products

  • Wireshark 4.2.0
  • Bundled TShark and dumpcap utilities in the same release
  • Downstream packages including Debian LTS distributions

Discovery Timeline

  • 2024-01-03 - CVE-2024-0211 published to NVD
  • 2024-09 - Debian LTS advisory issued, see the Debian LTS Announcement
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-0211

Vulnerability Analysis

The vulnerability resides in the DOCSIS protocol dissector shipped with Wireshark 4.2.0. The dissector enters a loop that fails to reach its exit condition when parsing certain malformed DOCSIS frames. Continued processing consumes resources and ultimately crashes the dissector process, terminating the capture session.

The attack does not require authentication, user interaction beyond opening a capture, or any privilege on the target host. Because Wireshark dissects packets automatically as they arrive in live captures, the same malformed input can be triggered through packet injection on a segment the analyst monitors.

Root Cause

The root cause is classified as [CWE-835], an infinite loop or loop with unreachable exit condition. Length or offset fields inside crafted DOCSIS data fail to advance the parser past a sentinel value, causing the dissector to iterate without progress. The GitLab Issue Report documents the specific dissection path involved.

Attack Vector

Two delivery paths exist. An attacker on a network the analyst is sniffing can inject crafted DOCSIS packets that Wireshark dissects in real time. Alternatively, an attacker can distribute a malicious pcap or pcapng file and rely on an analyst opening it. In both cases the result is process termination and loss of capture data.

No public proof-of-concept exploit is listed, and the CVE is not present on the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-0211

Indicators of Compromise

  • Repeated unexpected termination of wireshark, tshark, or dumpcap processes on analyst workstations
  • Crash dumps or core files referencing the DOCSIS dissector module
  • Capture sessions ending shortly after DOCSIS-tagged frames appear on the wire

Detection Strategies

  • Inventory hosts running Wireshark 4.2.0 using software asset management or endpoint telemetry
  • Alert on process exits of Wireshark binaries followed by user re-launch within a short window
  • Inspect shared capture files for malformed DOCSIS frames before distributing them to analysts

Monitoring Recommendations

  • Forward Wireshark process crash events from Windows, macOS, and Linux endpoints to a central SIEM
  • Track DOCSIS traffic appearing on segments where it is not expected, which may indicate injection attempts
  • Review user-opened capture files originating from untrusted sources or external collaborators

How to Mitigate CVE-2024-0211

Immediate Actions Required

  • Upgrade Wireshark 4.2.0 installations to a fixed release per the Wireshark Security Advisory
  • Apply distribution updates, including those described in the Debian LTS Announcement
  • Treat capture files from untrusted sources as potentially hostile until hosts are patched

Patch Information

The Wireshark Foundation released a fixed version addressing the DOCSIS dissector loop. Administrators should consult advisory wnpa-sec-2024-05 and upgrade to the latest stable 4.2.x release. Debian LTS users should install updates from the September 2024 advisory.

Workarounds

  • Disable the DOCSIS dissector in Analyze > Enabled Protocols if patching cannot be performed immediately
  • Avoid opening untrusted pcap or pcapng files on unpatched analyst workstations
  • Restrict live capture on segments that carry attacker-controlled traffic until the upgrade is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne