CVE-2026-5405 Overview
CVE-2026-5405 is a memory corruption vulnerability in the Remote Desktop Protocol (RDP) dissector of Wireshark. The flaw affects Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. An attacker can trigger the dissector crash by getting a user to open a crafted capture file or by injecting malformed packets into a live capture session. Exploitation results in denial of service and may allow code execution within the Wireshark process. The Wireshark Foundation tracks this issue under advisory wnpa-sec-2026-17 and CWE classifications [CWE-122] (Heap-based Buffer Overflow) and [CWE-787] (Out-of-bounds Write).
Critical Impact
A crafted RDP packet stream or capture file can crash Wireshark and potentially execute arbitrary code in the analyst's user context.
Affected Products
- Wireshark 4.6.0 through 4.6.4
- Wireshark 4.4.0 through 4.4.14
- Installations using the bundled RDP protocol dissector
Discovery Timeline
- 2026-05-01 - CVE-2026-5405 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-5405
Vulnerability Analysis
The vulnerability resides in the RDP protocol dissector that Wireshark uses to parse captured Remote Desktop Protocol traffic. When the dissector processes malformed RDP fields, it performs a heap operation that writes outside the bounds of an allocated buffer. The combined CWE classifications, [CWE-122] and [CWE-787], indicate a heap-based buffer overflow with an out-of-bounds write primitive.
Wireshark dissectors run in the same process as the analyst's UI or tshark command-line tool. A successful corruption therefore impacts the user account performing the analysis. The vendor confirms denial of service and lists code execution as a possible outcome.
Root Cause
The defect stems from insufficient bounds validation when the RDP dissector copies attacker-controlled length or offset fields from packet data into a heap buffer. Field length values supplied by the protocol are trusted without sufficient sanity checks, allowing an out-of-bounds write to occur during dissection. The epan dissection engine in epan/dissectors/packet-rdp.c is the relevant code path referenced in the Wireshark issue tracker.
Attack Vector
Exploitation requires local user interaction. The CVSS vector reflects a local attack with required user interaction. An attacker delivers a crafted .pcap or .pcapng file to a target analyst, who opens it in Wireshark or tshark. Alternatively, an attacker on the same network segment can inject malformed RDP frames while the analyst runs a live capture with the RDP dissector enabled. No authentication is required to craft the malicious traffic or capture file. See the Wireshark Security Advisory and the GitLab Wireshark Issue for the technical reproduction steps.
No public proof-of-concept exploit code is available in the cited references, and no synthetic exploitation code is reproduced here.
Detection Methods for CVE-2026-5405
Indicators of Compromise
- Unexpected crashes of Wireshark.exe, wireshark, or tshark processes when opening capture files containing RDP traffic
- Capture files of unknown provenance containing TCP port 3389 streams with malformed RDP PDUs
- Wireshark process termination accompanied by heap corruption error reports in operating system crash logs
Detection Strategies
- Inventory endpoints to identify Wireshark installations within the affected version ranges (4.6.0–4.6.4 and 4.4.0–4.4.14)
- Hunt for capture files arriving via email, chat, or file shares that originate outside expected sources
- Correlate Wireshark process crashes with recent file-open events or active live captures on engineering and SOC workstations
Monitoring Recommendations
- Monitor process creation and termination events for wireshark and tshark binaries on analyst endpoints
- Alert on Windows Error Reporting or Linux core dumps generated by Wireshark binaries
- Track file downloads with .pcap and .pcapng extensions from untrusted sources
How to Mitigate CVE-2026-5405
Immediate Actions Required
- Upgrade Wireshark to a fixed release as identified in advisory wnpa-sec-2026-17
- Restrict opening capture files received from untrusted or unverified sources until upgrades are complete
- Communicate the risk to network engineering, incident response, and threat hunting teams that routinely handle external .pcap files
Patch Information
The Wireshark Foundation has published advisory wnpa-sec-2026-17, which lists the fixed versions for the 4.6.x and 4.4.x branches. Administrators should consult the advisory and the GitLab Wireshark Issue for the corresponding commit and apply vendor-provided builds across all analyst workstations and servers running tshark in pipelines.
Workarounds
- Disable the RDP dissector in Wireshark via Analyze > Enabled Protocols and uncheck RDP until patches are applied
- Avoid live captures on networks carrying untrusted RDP traffic when an unpatched Wireshark instance is in use
- Use sandboxed or isolated virtual machines to triage capture files of uncertain origin
# Disable the RDP dissector from the command line for tshark
tshark --disable-protocol rdp -r suspicious_capture.pcapng
# Verify installed Wireshark version on Linux
wireshark --version | head -n 1
# Verify installed Wireshark version on Windows (PowerShell)
(Get-Item 'C:\Program Files\Wireshark\Wireshark.exe').VersionInfo.FileVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
