CVE-2024-4854 Overview
CVE-2024-4854 is a denial-of-service vulnerability in the Wireshark network protocol analyzer. The flaw exists in the MONGO and ZigBee TLV dissectors, which enter an infinite loop when processing crafted packet data. Affected versions include Wireshark 4.2.0 through 4.2.4, 4.0.0 through 4.0.14, and 3.6.0 through 3.6.22. Attackers can trigger the condition through packet injection on a monitored network or by supplying a malicious capture file to an analyst. The issue is classified under CWE-835 (Loop with Unreachable Exit Condition). Linux distributions including Fedora 39, Fedora 40, and Debian have shipped updated packages.
Critical Impact
Remote attackers can exhaust CPU resources on systems running Wireshark, halting traffic analysis and disrupting incident response workflows.
Affected Products
- Wireshark 4.2.0 through 4.2.4
- Wireshark 4.0.0 through 4.0.14 and 3.6.0 through 3.6.22
- Fedora 39 and Fedora 40
Discovery Timeline
- 2024-05-14 - CVE-2024-4854 published to NVD
- 2024-09 - Debian LTS security update released
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-4854
Vulnerability Analysis
The vulnerability resides in two Wireshark protocol dissectors: the MongoDB wire protocol (MONGO) dissector and the ZigBee Type-Length-Value (TLV) dissector. Both contain parsing logic that fails to advance the read offset under specific input conditions. When the dissector encounters crafted field lengths or malformed structures, the parsing loop never reaches its exit condition. The dissector continues processing the same bytes indefinitely, consuming a CPU core and blocking the Wireshark UI or tshark worker thread.
Because Wireshark dissectors execute against any packet matching the relevant heuristics or port assignments, an attacker does not need authentication or user interaction beyond inducing capture of the malicious traffic. The Wireshark project addressed the issue in GitLab Merge Request #15047 and Merge Request #15499, tracked in Issue #19726.
Root Cause
The root cause is a missing bounds-progression check inside the dissector parsing loops. The code relies on length fields embedded in attacker-controlled data to advance the buffer pointer. When those length fields are zero or otherwise inconsistent, the loop iterates without consuming bytes. This pattern matches CWE-835, Loop with Unreachable Exit Condition.
Attack Vector
An attacker has two delivery paths. The first is live packet injection on a network segment where a target is running Wireshark or tshark for traffic analysis. The second is delivering a crafted .pcap or .pcapng capture file to an analyst, who then opens it for review. Both paths are unauthenticated and require no privileges on the target host.
The vulnerability does not allow code execution or data disclosure. Impact is limited to availability of the Wireshark process, but during active incident response this loss of visibility can be operationally significant.
No public exploit code or proof-of-concept has been published for this issue, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Wireshark Security Advisory wnpa-sec-2024-07 for vendor technical details.
Detection Methods for CVE-2024-4854
Indicators of Compromise
- Wireshark or tshark processes pinned at 100% CPU on a single core with no progress in packet count
- Unresponsive Wireshark GUI shortly after starting a capture on a segment carrying MongoDB or ZigBee traffic
- Crash dumps or hangs immediately after opening a third-party capture file containing MONGO or ZigBee TLV frames
Detection Strategies
- Inventory all hosts running Wireshark and compare installed versions against the patched releases (4.2.4+, 4.0.14+, 3.6.22+)
- Hunt for unexpected MongoDB protocol traffic (TCP/27017 and related) on segments where MongoDB is not deployed
- Flag inbound .pcap or .pcapng files received via email or download by analysts and validate origin before opening
Monitoring Recommendations
- Alert on sustained high CPU usage by wireshark.exe, wireshark, or tshark processes on analyst workstations
- Log software inventory data for Wireshark across endpoints and review on each vendor advisory cycle
- Monitor package management events on Linux distributions to confirm timely application of the Fedora and Debian updates
How to Mitigate CVE-2024-4854
Immediate Actions Required
- Upgrade Wireshark to version 4.2.5, 4.0.15, 3.6.23, or later on all analyst workstations and capture servers
- Apply the Fedora updates referenced in the Fedora package announcement for Fedora 39 and 40
- Apply the Debian LTS update on Debian systems
- Avoid opening untrusted capture files until patches are deployed
Patch Information
The Wireshark Foundation released fixed builds documented in Security Advisory wnpa-sec-2024-07. Source-level fixes are available in Merge Request #15047 and Merge Request #15499. Distribution-specific packages are available through Fedora and Debian security channels.
Workarounds
- Disable the MONGO and ZigBee TLV dissectors via Analyze > Enabled Protocols in the Wireshark UI until patching is complete
- Run analysis sessions inside an isolated virtual machine that can be reset if a dissector hangs
- Restrict the systems used to open capture files to a small set of patched hosts under change control
# Disable affected dissectors from the command line
tshark -o "disabled_protos:mongo,zbee_tlv" -r suspect_capture.pcapng
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
