Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15173

CVE-2026-15173: Wireshark pcapng Parser DoS Vulnerability

CVE-2026-15173 is a denial of service vulnerability in Wireshark's pcapng file parser affecting versions 4.6.0 to 4.6.6. Attackers can crash the application through malformed files. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-15173 Overview

CVE-2026-15173 is a denial-of-service vulnerability in the Wireshark pcapng file parser. The flaw affects Wireshark versions 4.6.0 through 4.6.6 and stems from a heap-based memory error [CWE-122]. An attacker who convinces a user to open a crafted pcapng capture file can crash the Wireshark process. Exploitation requires local file access and user interaction, and the impact is limited to application availability. Confidentiality and integrity are not affected. The vulnerability is tracked in the Wireshark advisory WNPA-SEC-2026-53 and GitLab work item #21285.

Critical Impact

Opening a malicious pcapng file in an affected Wireshark build causes the parser to crash, disrupting analyst workflows and packet capture review.

Affected Products

  • Wireshark 4.6.0
  • Wireshark 4.6.x through 4.6.6
  • pcapng file parser component

Discovery Timeline

  • 2026-07-08 - CVE-2026-15173 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-15173

Vulnerability Analysis

The vulnerability resides in the pcapng file parser used by Wireshark to process the next-generation packet capture format. Wireshark builds 4.6.0 through 4.6.6 mishandle memory operations while parsing malformed pcapng structures. The condition is classified as a heap-based buffer error [CWE-122], which leads to an application crash rather than code execution. According to the vendor advisory, the outcome is limited to denial of service against the analyst workstation.

Root Cause

The root cause is improper bounds handling in the pcapng dissector when interpreting attacker-controlled block or option fields. A crafted capture file supplies length or offset values that push subsequent read or write operations beyond the boundaries of the allocated heap buffer. The parser does not validate these values before use, so processing terminates with a memory fault. Full technical detail is tracked in GitLab Work Item #21285.

Attack Vector

Exploitation is local and requires user interaction. An attacker delivers a malicious .pcapng file through email, a shared drive, an incident-response evidence package, or a public capture repository. When an analyst opens the file in a vulnerable Wireshark build, the parser crashes. The attack cannot be executed remotely without user action and does not yield code execution, credential access, or data disclosure. See the Wireshark Security Advisory WNPA-SEC-2026-53 for the vendor description.

Detection Methods for CVE-2026-15173

Indicators of Compromise

  • Unexpected crashes of wireshark.exe, wireshark, or tshark processes shortly after opening a pcapng file
  • Presence of untrusted .pcapng files delivered via email attachments, chat, or external media
  • Crash dumps or Windows Error Reporting events referencing the Wireshark pcapng dissector

Detection Strategies

  • Inventory endpoints running Wireshark and identify installations reporting versions 4.6.0 through 4.6.6
  • Alert on repeated Wireshark process termination events on analyst workstations
  • Flag inbound .pcapng files from external senders and correlate with subsequent Wireshark launches

Monitoring Recommendations

  • Collect process crash and application error telemetry from workstations used for packet analysis
  • Monitor file-open events for .pcapng extensions originating outside trusted evidence repositories
  • Track Wireshark version deployment through software inventory tooling and flag builds below 4.6.7

How to Mitigate CVE-2026-15173

Immediate Actions Required

  • Upgrade all Wireshark installations to a fixed release above the 4.6.6 branch as identified in WNPA-SEC-2026-53
  • Do not open pcapng captures received from untrusted or unverified sources
  • Restrict Wireshark use to dedicated analysis systems isolated from production data

Patch Information

Refer to the Wireshark Security Advisory WNPA-SEC-2026-53 for the fixed version and download links. The corresponding fix is tracked in GitLab Work Item #21285. Apply the vendor-supplied update through standard software distribution channels.

Workarounds

  • Use tshark or capinfos with caution and only against captures from trusted sources until patched
  • Convert suspect captures to another format in a sandboxed environment before opening in Wireshark
  • Enforce application allowlisting to prevent execution of vulnerable Wireshark builds on shared analyst systems

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.