CVE-2026-15174 Overview
CVE-2026-15174 is a denial of service vulnerability in the Catapult DCT2000 protocol dissector shipped with Wireshark. The flaw affects Wireshark versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16. A crafted capture file or packet stream can trigger a heap-based buffer overflow [CWE-122] inside the dissector, causing the Wireshark process to crash. The issue requires local user interaction, typically opening a malicious .out capture file or feeding data through a live capture. Exploitation does not yield code execution based on available advisories, but it disrupts analyst workflows and interferes with incident response activities.
Critical Impact
Analysts opening a malicious Catapult DCT2000 capture file experience a Wireshark crash, disrupting packet analysis and incident response tasks.
Affected Products
- Wireshark 4.6.0 through 4.6.6
- Wireshark 4.4.0 through 4.4.16
- Catapult DCT2000 protocol dissector component
Discovery Timeline
- 2026-07-08 - CVE-2026-15174 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15174
Vulnerability Analysis
The Catapult DCT2000 dissector parses log files produced by Catapult Communications DCT2000 test equipment. The dissector processes text-based headers and embedded binary payloads representing telecom protocol traces. A malformed record triggers a heap-based buffer overflow during parsing, corrupting adjacent heap memory and terminating the Wireshark process.
The advisory classifies the issue under [CWE-122] Heap-based Buffer Overflow. The CVSS vector indicates local attack complexity with required user interaction and impact limited to availability. Confidentiality and integrity remain unaffected in the observed crash pattern, though heap corruption vulnerabilities can occasionally escalate depending on allocator state.
Root Cause
The root cause lies in insufficient bounds checking when the dissector copies data from a parsed DCT2000 record into a heap-allocated buffer. When a record specifies a length that exceeds the buffer capacity or contains malformed length prefixes, the dissector writes past the allocation boundary. Refer to the Wireshark Security Advisory WNPA-SEC-2026-52 and GitLab Work Item 21270 for the code-level fix.
Attack Vector
An attacker crafts a malicious DCT2000 capture file and delivers it to a target analyst through email, shared drives, ticketing systems, or malware analysis submissions. When the analyst opens the file in Wireshark or tshark, the dissector processes the crafted record and crashes. Live-capture exploitation is also possible if the attacker can inject data on a network segment where Wireshark performs live decoding of DCT2000 traffic.
No verified public exploit code is available. The vulnerability is described in prose in the linked Wireshark security advisory without a reproducer.
Detection Methods for CVE-2026-15174
Indicators of Compromise
- Unexpected termination of wireshark.exe, wireshark, or tshark processes on analyst workstations
- Application crash reports referencing the packet-dct2000 dissector module
- Suspicious .out capture files received from untrusted sources or embedded in incident tickets
- Heap corruption signatures in Windows Error Reporting or Linux core dumps tied to Wireshark
Detection Strategies
- Inventory Wireshark installations across analyst workstations and compare versions against 4.6.7 and 4.4.17 or later
- Alert on Wireshark process crashes in EDR telemetry, correlating with recent file open events for capture files
- Inspect email and file share gateways for capture file extensions delivered from external senders
Monitoring Recommendations
- Forward Wireshark crash artifacts and Windows Error Reporting events to a central log store for review
- Track .pcap, .pcapng, and .out file transfers to workstations belonging to SOC and forensics teams
- Monitor package management logs to confirm patched Wireshark builds are deployed enterprise-wide
How to Mitigate CVE-2026-15174
Immediate Actions Required
- Upgrade Wireshark to a patched release above 4.6.6 in the 4.6 branch or above 4.4.16 in the 4.4 branch
- Instruct analysts to avoid opening untrusted DCT2000 capture files until patching completes
- Disable the Catapult DCT2000 dissector in Analyze > Enabled Protocols on unpatched systems that do not require it
Patch Information
The Wireshark Foundation released fixed builds referenced in Wireshark Security Advisory WNPA-SEC-2026-52. The code fix is tracked in GitLab Work Item 21270. Package maintainers for major Linux distributions typically backport the fix; verify the Wireshark package version through the distribution advisory channel.
Workarounds
- Disable the DCT2000 dissector via the Wireshark GUI or by editing the disabled_protos preference file
- Run Wireshark in a sandboxed virtual machine when handling untrusted capture files
- Use capinfos or a hex viewer to triage suspicious capture files before opening them in Wireshark
# Disable the DCT2000 dissector by appending to the user's disabled_protos file
echo "dct2000" >> ~/.config/wireshark/disabled_protos
# Verify installed Wireshark version
wireshark --version | head -n 1
tshark --version | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

