Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-24478

CVE-2024-24478: Wireshark Denial of Service Vulnerability

CVE-2024-24478 is a disputed denial of service vulnerability in Wireshark affecting BGP packet dissection that could allow remote attackers to crash the application. This article covers the technical details, disputed status, and mitigation.

Published:

CVE-2024-24478 Overview

CVE-2024-24478 describes a reported denial of service condition in Wireshark versions before 4.2.0. The issue resides in the Border Gateway Protocol (BGP) dissector implemented in packet-bgp.c, specifically within the dissect_bgp_open(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo) function and its handling of the optlen field. A remote attacker can supply a crafted BGP packet that triggers abnormal processing in the dissector, causing the Wireshark process to crash.

Critical Impact

The Wireshark vendor disputes this CVE, stating that neither release 4.2.0 nor any other release was affected by the reported condition.

Affected Products

  • Wireshark versions before 4.2.0 (as originally reported)
  • BGP packet dissector component (packet-bgp.c)
  • Wireshark installations performing live BGP traffic analysis or replay of capture files containing BGP frames

Discovery Timeline

  • 2024-02-21 - CVE-2024-24478 published to the National Vulnerability Database
  • 2026-06-17 - Entry last updated in NVD with vendor dispute information

Technical Details for CVE-2024-24478

Vulnerability Analysis

The reported condition lives inside the Wireshark BGP protocol dissector. Wireshark dissectors parse network protocol fields directly from captured frames and present them to analysts. The dissect_bgp_open function processes BGP OPEN messages and reads the optlen byte that specifies the length of the optional parameters block.

According to the original report, a crafted optlen value causes the dissector to enter a state that leads to abnormal termination of the Wireshark process. The mapped weakness is [CWE-680] (Integer Overflow to Buffer Overflow), suggesting the reporter attributed the crash to arithmetic on the length field that influenced subsequent memory access.

The Wireshark project disputes the finding. The vendor states that neither 4.2.0 nor any other release exhibits the described behavior. Analysts evaluating this CVE should weigh the vendor dispute alongside the referenced commit 80a4dc55f4d2fa33c2b36a99406500726d3faaef and GitLab issue 19347.

Root Cause

The reporter attributes the crash to the handling of the optlen value during BGP OPEN message dissection. Length fields supplied by remote peers can drive subsequent read operations, and insufficient bounds checking on attacker-controlled length values is a recurring class of dissector defect. The vendor disputes that any release contains this defect, indicating the proof-of-concept was not reproducible against shipping code.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction beyond opening a capture or running a live capture that observes the malicious traffic. An attacker would need to deliver a malformed BGP OPEN packet onto a segment where a Wireshark operator is dissecting traffic, or convince an analyst to open a malicious .pcap file containing such a frame. Successful exploitation terminates the Wireshark process and disrupts ongoing analysis. See the GitHub Gist proof-of-concept reference for additional technical context.

Detection Methods for CVE-2024-24478

Indicators of Compromise

  • Repeated unexpected crashes of the Wireshark or tshark process while analyzing captures containing BGP OPEN messages
  • Malformed BGP OPEN frames where the optlen field does not match the actual optional parameters payload size
  • Capture files of unknown provenance shared with analysts that contain BGP traffic targeting specific peer sessions

Detection Strategies

  • Inspect .pcap and .pcapng files for BGP OPEN messages with anomalous optlen values before opening them in Wireshark
  • Monitor analyst workstations for Wireshark process termination events correlated with capture file ingestion
  • Use command-line dissection in isolated environments to triage suspicious captures before loading them in the GUI

Monitoring Recommendations

  • Log application crash events on systems running Wireshark and forward them to a central analytics platform
  • Restrict analyst handling of untrusted capture files to dedicated sandboxed virtual machines
  • Track Wireshark version inventories across analyst endpoints to ensure patched builds are deployed where applicable

How to Mitigate CVE-2024-24478

Immediate Actions Required

  • Review the vendor commit and GitLab issue 19347 to determine applicability to your environment
  • Maintain Wireshark on the latest stable release to incorporate ongoing dissector hardening
  • Avoid opening capture files received from untrusted sources on production analyst workstations

Patch Information

The Wireshark vendor disputes that any release was affected by this CVE. No dedicated security advisory or patch release is attributed to CVE-2024-24478. Organizations should still track Wireshark updates through the official Wireshark project repository and apply current stable releases, which include continuous improvements to the BGP dissector.

Workarounds

  • Disable the BGP dissector through Analyze > Enabled Protocols when analyzing untrusted captures that do not require BGP decoding
  • Use tshark with restricted dissector sets in an isolated environment to pre-screen capture files
  • Apply operating system process protections and crash recovery so that dissector failures do not affect broader analyst workflows

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne