CVE-2026-5404 Overview
CVE-2026-5404 is a denial of service vulnerability in the Wireshark K12 RF5 file parser. The flaw affects Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. An attacker can trigger a parser crash by convincing a user to open a malformed K12 RF5 capture file in Wireshark or TShark. The vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input).
Critical Impact
A crafted K12 RF5 capture file causes Wireshark to crash, disrupting packet analysis workflows and potentially interrupting active investigations.
Affected Products
- Wireshark 4.6.0 through 4.6.4
- Wireshark 4.4.0 through 4.4.14
- Wireshark distributions bundling the affected K12 RF5 file parser
Discovery Timeline
- 2026-05-01 - CVE-2026-5404 published to NVD
- 2026-05-01 - Last updated in NVD database
- 2026-05-07 - EPSS data published (probability 0.011%, percentile 1.276)
Technical Details for CVE-2026-5404
Vulnerability Analysis
The vulnerability resides in the K12 RF5 capture file parser shipped with Wireshark. The parser fails to enforce proper boundary checks when copying data from a crafted RF5 file into internal buffers. Processing a malicious file produces a crash, terminating the Wireshark or TShark process.
The issue requires user interaction. A victim must open or load the malicious capture file inside an affected Wireshark build. The attacker does not need credentials or network access to the target host. Exploitation does not yield code execution, information disclosure, or integrity loss according to the CVSS vector. The impact is limited to availability of the analyzer.
Root Cause
The parser performs an unchecked copy operation on attacker-controlled length fields embedded in the K12 RF5 file format, consistent with CWE-120. Malformed records cause the parser to read or write outside allocated buffer bounds, producing a fatal crash. Refer to the Wireshark Security Advisory WNPA-2026-15 and the GitLab Wireshark Issue #21094 for the upstream technical analysis.
Attack Vector
Delivery requires social engineering. An attacker emails, uploads, or otherwise distributes a crafted .rf5 capture file to an analyst. Opening the file in an affected version of Wireshark or TShark triggers the crash. Shared analysis platforms that auto-load capture files in Wireshark are equally exposed.
No proof-of-concept exploit is publicly available. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, and EPSS scoring places exploitation probability at 0.011%.
Detection Methods for CVE-2026-5404
Indicators of Compromise
- Unexpected termination of wireshark.exe, tshark.exe, or the equivalent Linux or macOS binaries when opening capture files
- Crash dumps or Windows Error Reporting events tied to Wireshark processes that were processing K12 RF5 files
- Inbound capture files with .rf5 extensions originating from untrusted email senders or file-sharing links
Detection Strategies
- Monitor endpoints running Wireshark for abnormal process exits and correlate with recent file-open events
- Inspect mail and web gateway logs for .rf5 attachments delivered to security analysts and incident responders
- Track Wireshark version inventory using software asset management tools to flag hosts still on vulnerable releases
Monitoring Recommendations
- Alert on Wireshark or TShark process crashes generated outside of expected debugging activity
- Audit shared capture-file repositories for files added by external or unverified contributors
- Maintain telemetry on analyst workstations because the local attack vector limits visibility to endpoint sources
How to Mitigate CVE-2026-5404
Immediate Actions Required
- Upgrade Wireshark to a fixed release as documented in WNPA-2026-15
- Avoid opening K12 RF5 capture files received from untrusted sources until the upgrade is complete
- Inventory all systems running Wireshark 4.6.0–4.6.4 or 4.4.0–4.4.14 and prioritize patching
Patch Information
The Wireshark Foundation has published a security advisory and a corresponding fix tracked in GitLab Issue #21094. Apply the vendor-supplied update for the 4.6 or 4.4 branch. Users on long-term support distributions should pull the backported package from their distribution repository once available.
Workarounds
- Disable or remove the K12 RF5 file format dissector in the Wireshark preferences if patching is delayed
- Restrict capture-file processing to dedicated analysis hosts isolated from production networks
- Use command-line tools that do not invoke the K12 RF5 parser when triaging untrusted files
# Verify installed Wireshark version on Linux
wireshark --version | head -n 1
# Disable the K12 dissector at runtime via TShark
tshark -o 'disabled_protos:k12' -r suspect.rf5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
