Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15171

CVE-2026-15171: Wireshark SSH Protocol DoS Vulnerability

CVE-2026-15171 is a denial of service vulnerability in Wireshark's SSH protocol dissector affecting versions 4.6.0-4.6.6 and 4.4.0-4.4.16. This post covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-15171 Overview

CVE-2026-15171 is a denial-of-service vulnerability in the Secure Shell (SSH) protocol dissector shipped with Wireshark. The flaw affects Wireshark versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16. An attacker can trigger a crash of the Wireshark process by causing the application to parse a malformed SSH packet capture or live traffic. The Wireshark Foundation tracks the issue under advisory WNPA-2026-55. The underlying weakness is a NULL pointer dereference [CWE-476] in the dissector code path.

Critical Impact

Successful exploitation crashes the Wireshark analysis process, interrupting packet capture and investigation workflows on the affected host.

Affected Products

  • Wireshark 4.6.0 through 4.6.6
  • Wireshark 4.4.0 through 4.4.16
  • Deployments using the built-in SSH protocol dissector

Discovery Timeline

  • 2026-07-08 - CVE-2026-15171 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-15171

Vulnerability Analysis

The issue resides in the SSH protocol dissector, one of the many packet parsers bundled with Wireshark. When the dissector processes a specifically crafted SSH message, a required object reference is not initialized before use. The dissector then attempts to read from that reference and dereferences a NULL pointer, terminating the Wireshark process. The bug is classified as [CWE-476] NULL Pointer Dereference. Exploitation requires user interaction: a local analyst must open a malicious capture file or point Wireshark at a live interface receiving the crafted traffic. The vector is local because the vulnerability is triggered inside the analyst's Wireshark process, not against a network service. Confidentiality and integrity are not impacted, but availability of the analysis workflow is lost until the process is restarted.

Root Cause

The SSH dissector fails to validate that internal state or a parsed field is non-NULL before dereferencing it. Under specific message sequences or malformed length fields, the code path is reached with an unset pointer. The Wireshark Foundation resolved the defect in the SSH dissector source. See the GitLab Wireshark Work Item for the upstream tracking record.

Attack Vector

An attacker delivers a malicious .pcap, .pcapng, or equivalent capture file to a target analyst, or injects crafted SSH-flavored packets onto a network segment that a target is capturing. When Wireshark or tshark parses the traffic, the SSH dissector crashes. This disrupts incident response and forensic activities but does not yield code execution based on the published advisory. Full details are available in the Wireshark Security Advisory WNPA-2026-55.

Detection Methods for CVE-2026-15171

Indicators of Compromise

  • Unexpected termination of wireshark.exe, wireshark, or tshark processes during capture analysis
  • Capture files received from untrusted sources that reference SSH traffic on non-standard ports
  • Repeated Wireshark crash reports generated shortly after opening a specific .pcapng file

Detection Strategies

  • Inventory endpoints and analyst workstations running Wireshark 4.6.04.6.6 or 4.4.04.4.16 and flag versions below the fixed releases
  • Monitor for abnormal exit codes or crash dumps associated with the Wireshark or tshark binaries
  • Review file transfer and email gateways for capture files delivered to security analysts from external senders

Monitoring Recommendations

  • Enable operating system crash reporting (Windows Error Reporting, systemd-coredump) on analyst hosts and forward events to a central log store
  • Track process creation events for wireshark and tshark alongside their termination status to correlate crashes with specific capture files
  • Alert on Wireshark installations that remain on unpatched minor versions after the vendor advisory publication date

How to Mitigate CVE-2026-15171

Immediate Actions Required

  • Upgrade Wireshark to a fixed release above 4.6.6 in the 4.6 branch or above 4.4.16 in the 4.4 branch as published in advisory WNPA-2026-55
  • Restrict analysts from opening capture files sourced from untrusted third parties until the upgrade is completed
  • Audit shared analysis workstations and CI pipelines that invoke tshark for automated dissection

Patch Information

The Wireshark Foundation has released updated builds addressing the SSH dissector NULL pointer dereference. Refer to the Wireshark Security Advisory WNPA-2026-55 for exact fixed version numbers and download links, and to the GitLab Wireshark Work Item for source-level details.

Workarounds

  • Disable the SSH dissector in Wireshark preferences under Analyze → Enabled Protocols until the patch is applied
  • Use tshark with --disable-protocol ssh when processing capture files of unknown provenance
  • Run Wireshark inside an isolated virtual machine or sandbox when handling suspicious capture files
bash
# Configuration example: disable the SSH dissector when running tshark
tshark -r suspicious_capture.pcapng --disable-protocol ssh

# Verify installed Wireshark version before analysis
wireshark --version | head -n 1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.