CVE-2026-3202 Overview
CVE-2026-3202 is a Null Pointer Dereference vulnerability affecting Wireshark versions 4.6.0 through 4.6.3. The vulnerability exists within the NTS-KE (Network Time Security Key Establishment) protocol dissector, which can be triggered to crash when processing specially crafted network traffic. This denial of service condition allows remote attackers to terminate Wireshark analysis sessions without requiring any user interaction beyond capturing malicious traffic.
Critical Impact
Remote attackers can crash Wireshark instances by sending malformed NTS-KE protocol packets, disrupting network analysis and security monitoring operations.
Affected Products
- Wireshark 4.6.0
- Wireshark 4.6.1
- Wireshark 4.6.2
- Wireshark 4.6.3
Discovery Timeline
- 2026-02-25 - CVE-2026-3202 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-3202
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption issue that occurs when the NTS-KE protocol dissector attempts to dereference a pointer that has not been properly initialized or has been set to NULL. The NTS-KE protocol is used for establishing cryptographic keys in Network Time Security implementations, and Wireshark's dissector for this protocol contains a flaw in how it handles certain malformed packet structures.
When Wireshark encounters a specially crafted NTS-KE packet during live capture or when opening a capture file, the dissector fails to properly validate pointer values before dereferencing them. This results in an immediate application crash, terminating the Wireshark session and potentially losing unsaved capture data.
Root Cause
The root cause of CVE-2026-3202 lies in insufficient input validation within the NTS-KE protocol dissector code. The dissector does not properly check for NULL pointer conditions before attempting to access memory through pointers derived from packet data. When malformed NTS-KE protocol data is parsed, the code path leads to a NULL pointer dereference, causing the application to crash.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction beyond the target running Wireshark while capturing or analyzing network traffic containing the malicious packets. An attacker can exploit this vulnerability by:
- Sending crafted NTS-KE protocol packets to a network segment being monitored by Wireshark
- Including malformed NTS-KE data in a capture file shared with a target analyst
- Injecting malicious packets into network traffic during active capture sessions
The vulnerability manifests in the NTS-KE protocol dissector when processing malformed packet structures. When Wireshark attempts to parse certain fields within the NTS-KE protocol data, it encounters a NULL pointer that is subsequently dereferenced, leading to an immediate crash. For detailed technical information about the specific code paths involved, refer to the GitLab Wireshark Issue and the Wireshark Security Advisory 2026-06.
Detection Methods for CVE-2026-3202
Indicators of Compromise
- Unexpected Wireshark application crashes during network capture sessions
- Core dump files or crash reports indicating NULL pointer dereference in dissector code
- Presence of unusual NTS-KE protocol traffic on port 4460 (default NTS-KE port)
- Wireshark error logs referencing the NTS-KE dissector module
Detection Strategies
- Monitor for abnormal termination of Wireshark processes across analyst workstations
- Implement network intrusion detection rules to identify malformed NTS-KE protocol packets
- Review system logs for application crash events associated with Wireshark binaries
- Deploy endpoint detection solutions to alert on repeated Wireshark crashes
Monitoring Recommendations
- Configure centralized logging for security analyst workstations to capture Wireshark crash events
- Establish baseline metrics for Wireshark process uptime to detect anomalous termination patterns
- Implement network traffic analysis for NTS-KE protocol anomalies on relevant network segments
- Enable crash dump collection for forensic analysis of potential exploitation attempts
How to Mitigate CVE-2026-3202
Immediate Actions Required
- Upgrade Wireshark to version 4.6.4 or later to address this vulnerability
- If immediate patching is not possible, disable the NTS-KE protocol dissector as a temporary workaround
- Review capture files from untrusted sources in isolated environments
- Avoid capturing traffic on networks where malicious NTS-KE packets may be present until patched
Patch Information
Wireshark has released security updates to address this vulnerability. Users should upgrade to Wireshark 4.6.4 or the latest available version. The official security advisory with patch details is available at the Wireshark Security Advisory 2026-06. Organizations should prioritize this update for systems actively used in network security monitoring and analysis roles.
Workarounds
- Disable the NTS-KE protocol dissector through Wireshark's protocol preferences until patching is complete
- Use the -d command-line option to disable specific dissector decoding when processing untrusted captures
- Isolate Wireshark analysis sessions in virtual machines when examining untrusted capture files
- Consider using alternative packet analysis tools temporarily for environments where patching cannot be immediately performed
# Disable NTS-KE dissector via command line
wireshark -o "ntske.enable:false" capture.pcapng
# Alternative: Edit preferences file to disable dissector
echo "ntske.enable: false" >> ~/.config/wireshark/preferences
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
