CVE-2026-0959 Overview
CVE-2026-0959 is a denial of service vulnerability affecting the IEEE 802.11 protocol dissector in Wireshark. The vulnerability exists in Wireshark versions 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12, where a specially crafted packet can trigger an out-of-bounds write (CWE-787) in the 802.11 wireless protocol dissector, causing the application to crash.
Critical Impact
Attackers can cause Wireshark to crash by sending or injecting malicious IEEE 802.11 packets, disrupting network analysis and security monitoring operations.
Affected Products
- Wireshark versions 4.6.0 to 4.6.2
- Wireshark versions 4.4.0 to 4.4.12
Discovery Timeline
- 2026-01-14 - CVE-2026-0959 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-0959
Vulnerability Analysis
This vulnerability is classified as an out-of-bounds write (CWE-787) within Wireshark's IEEE 802.11 protocol dissector. The flaw occurs when processing malformed 802.11 wireless network packets, where insufficient bounds checking allows memory writes beyond allocated buffer boundaries. This can be triggered remotely over a network when a user captures or analyzes traffic containing the malicious packet.
The vulnerability requires user interaction—specifically, a user must capture or open a packet capture file containing the malicious traffic. The impact is limited to availability, as successful exploitation results in a denial of service condition through application crash, without affecting data confidentiality or integrity.
Root Cause
The root cause is an out-of-bounds write vulnerability in the IEEE 802.11 dissector code. When parsing certain malformed wireless protocol frames, the dissector fails to properly validate field lengths or buffer boundaries before writing data. This results in memory corruption that leads to an application crash. Protocol dissectors in Wireshark are particularly susceptible to such issues due to the complexity of parsing arbitrary network traffic that may not conform to protocol specifications.
Attack Vector
The attack can be executed remotely over a network. An attacker can craft malicious IEEE 802.11 packets and either:
- Transmit them over a wireless network where the victim is performing packet capture
- Embed the malicious packets in a PCAP file and trick the victim into opening it
- Inject the packets into network traffic being analyzed by the target Wireshark instance
The exploitation mechanism involves sending specially crafted 802.11 frames that trigger the out-of-bounds write condition in the dissector. When Wireshark attempts to parse these frames, the improper memory access causes the application to crash, resulting in denial of service. This can disrupt critical network analysis operations, security monitoring, and incident response activities that depend on Wireshark.
Detection Methods for CVE-2026-0959
Indicators of Compromise
- Unexpected Wireshark crashes during wireless traffic analysis or when opening PCAP files
- Application crash logs indicating segmentation faults in the 802.11 dissector module
- Repeated Wireshark process terminations without user interaction
Detection Strategies
- Monitor system logs for Wireshark crash events, particularly those referencing the IEEE 802.11 dissector
- Implement endpoint detection rules for abnormal Wireshark process terminations
- Review packet captures for malformed 802.11 frames with unusual field lengths
Monitoring Recommendations
- Enable verbose logging in Wireshark to capture dissector errors before crashes
- Monitor for patterns of repeated application crashes in network analysis environments
- Implement file integrity monitoring on PCAP files received from external sources
How to Mitigate CVE-2026-0959
Immediate Actions Required
- Upgrade Wireshark to version 4.6.3 or later (for 4.6.x branch) or 4.4.13 or later (for 4.4.x branch)
- Avoid opening untrusted PCAP files until the patch is applied
- Limit wireless traffic capture to trusted environments
- Consider using read-only analysis systems isolated from production networks
Patch Information
Wireshark has released security updates addressing this vulnerability. Users should upgrade to the latest stable version available. For detailed patch information, refer to the Wireshark Security Advisory wnpa-sec-2026-02 and the GitLab issue tracker.
Workarounds
- Disable the IEEE 802.11 dissector if wireless protocol analysis is not required: Edit → Preferences → Protocols → IEEE 802.11 → Disable
- Use capture filters to exclude 802.11 traffic: not wlan
- Process untrusted captures in isolated virtual machines or sandboxed environments
- Use TShark with strict protocol filters to pre-validate captures before opening in Wireshark GUI
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
