CVE-2026-15172 Overview
CVE-2026-15172 is a denial-of-service vulnerability in the File Management Protocol (FMP) NOTIFY dissector shipped with Wireshark. Affected releases include Wireshark 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16. An attacker triggers the flaw by convincing a user to open a crafted capture file or by injecting malformed FMP/NOTIFY traffic that Wireshark then dissects. Successful exploitation crashes the analyzer process, interrupting packet analysis workflows. The issue is classified under [CWE-606] (Unchecked Input for Loop Condition) and carries a local attack vector with user interaction required.
Critical Impact
Malformed FMP/NOTIFY traffic causes Wireshark to crash, disrupting packet capture analysis and incident response investigations that rely on the tool.
Affected Products
- Wireshark 4.6.0 through 4.6.6
- Wireshark 4.4.0 through 4.4.16
- FMP/NOTIFY protocol dissector component
Discovery Timeline
- 2026-07-08 - CVE-2026-15172 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-15172
Vulnerability Analysis
The flaw lives in the FMP/NOTIFY protocol dissector, one of many packet dissectors bundled with Wireshark. Dissectors parse binary protocol fields and translate them into human-readable output. When the dissector processes attacker-controlled data, it fails to validate a value used as a loop condition. The result is a crash of the Wireshark or TShark process. The impact is confined to availability. Confidentiality and integrity are not affected, and no code execution has been demonstrated.
Root Cause
The underlying weakness is [CWE-606] Unchecked Input for Loop Condition. A length or count field taken from the packet drives iteration inside the dissector without adequate bounds validation. Malformed input pushes the loop into an unsafe state that terminates the process. Additional technical context is available in the Wireshark Security Advisory and the GitLab Work Item.
Attack Vector
Exploitation requires local user interaction. An attacker delivers a crafted .pcap or .pcapng capture file containing malformed FMP/NOTIFY frames. When an analyst opens the file in Wireshark or replays it through TShark, the dissector processes the attacker payload and the process terminates. The same result occurs if Wireshark is live-capturing on a segment where an attacker can inject FMP/NOTIFY traffic. No authentication is required for the packet path, but the analyst must load or capture the malicious data.
No public proof-of-concept exploit has been released. Verified code examples are not available, so a synthetic exploitation snippet is not included here.
Detection Methods for CVE-2026-15172
Indicators of Compromise
- Unexpected termination of wireshark.exe, wireshark, or tshark processes while opening capture files
- Crash dumps or core files generated by Wireshark referencing the FMP/NOTIFY dissector
- Capture files received from untrusted sources that contain FMP/NOTIFY frames with anomalous length fields
Detection Strategies
- Inventory endpoints running Wireshark 4.6.0-4.6.6 or 4.4.0-4.4.16 using software asset management data
- Alert on Wireshark or TShark process crashes correlated with recent file-open events on analyst workstations
- Inspect email and file-sharing gateways for .pcap or .pcapng attachments delivered to security or network engineering teams
Monitoring Recommendations
- Forward endpoint process-termination and crash telemetry to a centralized log platform for correlation
- Track version compliance for Wireshark installations and flag hosts that remain on vulnerable releases
- Review analyst workflows that automatically ingest third-party capture files and add sandboxed preview steps
How to Mitigate CVE-2026-15172
Immediate Actions Required
- Upgrade Wireshark to a fixed release above 4.6.6 for the 4.6 branch or above 4.4.16 for the 4.4 branch as published in the vendor advisory
- Restrict opening of untrusted capture files to isolated analysis virtual machines
- Communicate the risk to SOC and network engineering teams that regularly handle external .pcap files
Patch Information
Refer to the Wireshark Security Advisory wnpa-sec-2026-54 for the fixed version numbers and download links. The upstream fix is tracked in the GitLab Work Item 21347. Apply the patched build across all analyst workstations, forensics VMs, and automated pipelines that invoke tshark.
Workarounds
- Disable the FMP/NOTIFY dissector in Wireshark preferences under Analyze > Enabled Protocols until the patched version is deployed
- Avoid processing capture files from untrusted origins with vulnerable Wireshark builds
- Run Wireshark inside a non-privileged account or sandbox to contain crash impact on the host
# Disable the FMP/NOTIFY dissector via the Wireshark disabled_protos file
# Location: %APPDATA%\Wireshark\disabled_protos (Windows)
# ~/.config/wireshark/disabled_protos (Linux/macOS)
echo "fmp_notify" >> ~/.config/wireshark/disabled_protos
# Verify the installed Wireshark version
tshark --version | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

