CVE-2026-0960 Overview
CVE-2026-0960 is a denial of service vulnerability in Wireshark versions 4.6.0 to 4.6.2 caused by an infinite loop in the HTTP3 protocol dissector. When processing specially crafted network traffic or capture files, the HTTP3 dissector can enter an unbounded loop, consuming CPU resources and causing the application to become unresponsive. This vulnerability allows local attackers to crash Wireshark through malicious packet captures, disrupting network analysis operations.
Critical Impact
Attackers can trigger a denial of service condition by providing a malicious capture file or network traffic containing crafted HTTP3 packets, causing Wireshark to hang indefinitely and requiring process termination.
Affected Products
- Wireshark 4.6.0
- Wireshark 4.6.1
- Wireshark 4.6.2
Discovery Timeline
- 2026-01-14 - CVE CVE-2026-0960 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-0960
Vulnerability Analysis
This vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The HTTP3 protocol dissector in Wireshark fails to properly handle certain malformed packet structures, causing the parsing logic to enter a loop without a valid termination condition.
HTTP3 is a relatively new protocol built on QUIC, and its complex frame structure requires careful bounds checking during dissection. The vulnerable code path is triggered when the dissector encounters specific malformed frame headers or length fields, causing it to repeatedly process the same data without advancing through the packet buffer.
The attack requires user interaction—a victim must open a malicious capture file or capture traffic from a network controlled by the attacker. This makes it a local attack vector rather than remotely exploitable over the network.
Root Cause
The root cause is improper loop termination logic in the HTTP3 protocol dissector. When parsing HTTP3 frames, the dissector fails to properly validate frame length fields or advance buffer pointers under certain conditions. This results in the dissector repeatedly attempting to parse the same malformed data, never reaching a valid exit condition.
Protocol dissectors in Wireshark must carefully track buffer positions and implement safeguards against malformed input that could cause infinite processing. The HTTP3 dissector lacked sufficient validation to prevent this specific class of loop vulnerability.
Attack Vector
The attack vector requires local access and user interaction. An attacker can exploit this vulnerability through:
- Malicious Capture Files: Creating a specially crafted .pcapng or .pcap file containing malformed HTTP3 traffic and distributing it to potential victims
- Network Traffic Injection: If the attacker can inject traffic on a network segment being captured, they can send malformed HTTP3 packets that trigger the vulnerability when processed
- Shared Capture Files: Uploading malicious captures to file-sharing platforms or attaching them to emails targeting security analysts
The vulnerability results in complete denial of service of the Wireshark application, requiring the user to forcefully terminate the process.
Detection Methods for CVE-2026-0960
Indicators of Compromise
- Wireshark processes consuming 100% CPU without making progress on packet analysis
- Unresponsive Wireshark GUI when opening capture files containing HTTP3 traffic
- Application hang events logged by the operating system for Wireshark processes
- Presence of suspicious .pcap or .pcapng files received from untrusted sources
Detection Strategies
- Monitor for Wireshark processes with abnormally high CPU usage that persist beyond normal analysis timeframes
- Implement endpoint detection rules for Wireshark application hangs or crashes
- Use file integrity monitoring to track incoming capture files from external sources
- Enable application crash reporting to identify recurring Wireshark terminations
Monitoring Recommendations
- Deploy endpoint monitoring for CPU resource exhaustion by network analysis tools
- Implement file scanning policies for capture files received via email or file transfer
- Monitor for patterns of Wireshark process terminations that could indicate exploitation attempts
- Consider sandboxing untrusted capture files before opening them in the primary analysis environment
How to Mitigate CVE-2026-0960
Immediate Actions Required
- Update Wireshark to version 4.6.3 or later, which contains the fix for this vulnerability
- Avoid opening capture files from untrusted or unknown sources until patched
- Exercise caution when analyzing network traffic from potentially hostile networks
- Consider using tshark with the HTTP3 dissector disabled for untrusted captures
Patch Information
Wireshark has addressed this vulnerability in their security advisory WNPA-SEC-2026-04. Users should upgrade to Wireshark version 4.6.3 or later to remediate this issue. The fix implements proper loop termination checks in the HTTP3 dissector to prevent infinite processing of malformed packets.
Additional technical details about the vulnerability can be found in the GitLab issue tracker.
Workarounds
- Disable the HTTP3 protocol dissector by navigating to Analyze → Enabled Protocols and unchecking HTTP3
- Use the command-line option --disable-protocol http3 when running tshark or wireshark
- Process untrusted captures in an isolated virtual machine or container environment
- Implement capture file sandboxing workflows for files received from external parties
# Disable HTTP3 dissector via command line
tshark -o "http3.enable:FALSE" -r suspicious_capture.pcap
# Alternative: Disable protocol entirely
wireshark --disable-protocol http3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
