Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15166

CVE-2026-15166: Wireshark IEEE 802.11 DoS Vulnerability

CVE-2026-15166 is a denial of service flaw in Wireshark's IEEE 802.11 protocol dissector that causes application crashes. Affecting versions 4.6.0-4.6.6 and 4.4.0-4.4.16, this article covers technical details and mitigation.

Published:

CVE-2026-15166 Overview

CVE-2026-15166 is a denial of service vulnerability in the Wireshark IEEE 802.11 protocol dissector. Malformed 802.11 frames processed by the dissector trigger a crash in the packet analyzer. The flaw affects Wireshark versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16. The Common Weakness Enumeration classification is [CWE-121] stack-based buffer overflow. Local attackers can exploit the vulnerability by convincing an analyst to open a crafted capture file or by injecting malicious packets on a monitored network. The result is a crash of the Wireshark process and interruption of packet analysis work.

Critical Impact

A crafted 802.11 packet or capture file crashes Wireshark, disrupting network analysis and forensic workflows on analyst workstations.

Affected Products

  • Wireshark 4.6.0 through 4.6.6
  • Wireshark 4.4.0 through 4.4.16
  • IEEE 802.11 protocol dissector component

Discovery Timeline

  • 2026-07-08 - CVE-2026-15166 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15166

Vulnerability Analysis

The vulnerability resides in the Wireshark IEEE 802.11 protocol dissector. When the dissector parses a malformed 802.11 wireless frame, it writes beyond the bounds of a stack buffer. The out-of-bounds write corrupts adjacent stack memory and causes the Wireshark process to terminate. The dissector processes packets automatically when a capture file is loaded or when live capture is active. Exploitation requires user interaction, such as opening a malicious packet capture file or loading traffic that contains the crafted frame.

The impact is limited to availability. The vulnerability does not grant code execution, memory disclosure, or privilege escalation in its documented form. Analysts working with untrusted PCAP files or monitoring adversarial wireless networks are the primary targets. Repeated triggering can block forensic and incident response workflows that depend on Wireshark.

Root Cause

The underlying defect is a stack-based buffer overflow [CWE-121] in the 802.11 dissector code path. The dissector fails to validate a length or offset field in the wireless frame header before copying data into a fixed-size stack buffer. Details are tracked in GitLab Work Item #21391 and Wireshark Security Advisory WNPA-SEC-2026-57.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a crafted .pcap or .pcapng file to the analyst, or transmits a malformed 802.11 frame within range of a monitored wireless interface. When Wireshark or tshark parses the frame, the dissector crashes. No authentication or elevated privileges are required to craft the payload. See the Wireshark Security Advisory WNPA-SEC-2026-57 for the reference frame structure that triggers the fault.

Detection Methods for CVE-2026-15166

Indicators of Compromise

  • Unexpected termination of wireshark.exe, wireshark, or tshark processes on analyst workstations
  • Application crash dumps referencing the 802.11 dissector in the call stack
  • Receipt of untrusted .pcap or .pcapng files from external sources immediately before a crash

Detection Strategies

  • Inventory Wireshark installations and flag hosts running 4.6.0–4.6.6 or 4.4.0–4.4.16
  • Alert on repeated Wireshark or tshark process crashes on the same host within a short window
  • Inspect capture files received via email or download for anomalous 802.11 frames before opening them

Monitoring Recommendations

  • Collect Windows Error Reporting and Linux coredump events for Wireshark binaries and forward them to a central log store
  • Monitor endpoint telemetry for Wireshark being launched against files sourced from untrusted network shares or downloads
  • Track software version data from asset management tools to confirm patch adoption across analyst systems

How to Mitigate CVE-2026-15166

Immediate Actions Required

  • Upgrade Wireshark to a fixed release as identified in Wireshark Security Advisory WNPA-SEC-2026-57
  • Restrict analysts from opening capture files received from untrusted sources until patching is complete
  • Isolate systems used for adversarial packet analysis from production analyst workstations

Patch Information

The Wireshark Foundation addressed the defect in the 4.6.x and 4.4.x release branches. Refer to Wireshark Security Advisory WNPA-SEC-2026-57 for the specific fixed version numbers and to GitLab Work Item #21391 for the code changes. Apply the vendor-provided binaries or rebuild from source at the patched commit.

Workarounds

  • Disable the IEEE 802.11 dissector under Analyze → Enabled Protocols when working with untrusted captures
  • Use tshark with --disable-protocol wlan to skip the vulnerable parser during automated processing
  • Open unknown capture files inside a disposable virtual machine to contain crashes and any downstream impact
bash
# Disable the IEEE 802.11 dissector when parsing untrusted captures
tshark -r suspicious.pcapng --disable-protocol wlan -V

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.