CVE-2026-0962 Overview
CVE-2026-0962 is a denial of service vulnerability affecting the SOME/IP-SD protocol dissector in Wireshark network protocol analyzer. The vulnerability allows remote attackers to crash Wireshark by sending specially crafted network packets, resulting in service disruption for network administrators and security analysts who rely on packet capture and analysis.
Critical Impact
An attacker can cause Wireshark to crash by sending malicious SOME/IP-SD packets, disrupting network monitoring and forensic analysis operations.
Affected Products
- Wireshark versions 4.6.0 to 4.6.2
- Wireshark versions 4.4.0 to 4.4.12
Discovery Timeline
- 2026-01-14 - CVE-2026-0962 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-0962
Vulnerability Analysis
This vulnerability resides in Wireshark's SOME/IP-SD (Scalable service-Oriented MiddlewarE over IP - Service Discovery) protocol dissector. The SOME/IP-SD protocol is commonly used in automotive and IoT environments for service discovery and announcement between ECUs (Electronic Control Units).
The root cause is classified as CWE-787 (Out-of-Bounds Write), indicating that the dissector improperly handles malformed SOME/IP-SD packets, resulting in a memory write operation beyond allocated buffer boundaries. When processing specially crafted packets, the dissector fails to properly validate input lengths or buffer boundaries, leading to memory corruption and subsequent application crash.
The vulnerability can be triggered remotely via network-based attack vectors, though user interaction is required (such as opening a malicious packet capture file or capturing live traffic containing malicious packets).
Root Cause
The vulnerability stems from an out-of-bounds write condition (CWE-787) in the SOME/IP-SD protocol dissector. When parsing service discovery messages, the dissector does not adequately validate the length fields within the protocol structure, allowing an attacker to supply values that cause writes beyond the intended memory region.
Attack Vector
The attack can be executed remotely over the network. An attacker can exploit this vulnerability by:
- Sending malformed SOME/IP-SD packets to a network segment being monitored by Wireshark
- Creating a malicious packet capture file (.pcap or .pcapng) and tricking a user into opening it
- Injecting crafted packets into network traffic that a victim is actively capturing
The vulnerability mechanism involves crafting SOME/IP-SD packets with malformed length fields or structure elements that trigger the out-of-bounds write condition when the dissector attempts to parse them. Technical details regarding the specific parsing flaw can be found in the GitLab Wireshark Issue #20945 and the Wireshark Security Notification 2026-03.
Detection Methods for CVE-2026-0962
Indicators of Compromise
- Unexpected Wireshark crashes when analyzing SOME/IP-SD traffic
- Application crash dumps referencing the SOME/IP-SD dissector module
- Wireshark process termination during live capture or file analysis involving automotive/IoT protocols
- Error logs indicating memory access violations in packet dissection routines
Detection Strategies
- Monitor for repeated Wireshark process crashes, particularly when analyzing SOME/IP or automotive protocol traffic
- Implement network traffic analysis to detect anomalous SOME/IP-SD packets with malformed headers or unusual length values
- Review system logs for crash reports associated with Wireshark processes
- Deploy endpoint detection to identify patterns of application instability targeting analysis tools
Monitoring Recommendations
- Enable crash reporting and centralized logging for Wireshark installations across the organization
- Monitor for suspicious network activity involving SOME/IP-SD protocol traffic from untrusted sources
- Implement file integrity monitoring for packet capture files before opening in vulnerable Wireshark versions
- Track Wireshark version deployment across endpoints to identify systems running vulnerable versions
How to Mitigate CVE-2026-0962
Immediate Actions Required
- Upgrade Wireshark to the latest patched version beyond 4.6.2 or 4.4.12
- Disable the SOME/IP-SD protocol dissector if not required for analysis operations
- Avoid opening untrusted packet capture files from unknown sources
- Run Wireshark in isolated environments when analyzing potentially malicious captures
Patch Information
Security patches addressing this vulnerability are available from the Wireshark project. Refer to the Wireshark Security Notification 2026-03 for official patch information and updated versions. Users should upgrade to the latest stable release that includes the fix for this vulnerability.
Workarounds
- Disable the SOME/IP-SD dissector via Wireshark preferences: Analyze > Enabled Protocols > Uncheck SOME/IP-SD
- Use TShark with dissector filtering to exclude SOME/IP-SD processing when analyzing untrusted captures
- Implement network segmentation to limit exposure of monitoring systems to potentially malicious traffic
- Run Wireshark analysis in sandboxed or containerized environments to contain potential crashes
# Disable SOME/IP-SD dissector via command line
wireshark --disable-protocol someipsd
# Alternatively, use TShark with protocol filtering
tshark -r suspicious.pcap --disable-protocol someipsd
# Edit Wireshark preferences file to permanently disable
echo "someipsd.enable: FALSE" >> ~/.config/wireshark/preferences
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
