CVE-2026-5654 Overview
CVE-2026-5654 is a Stack Overflow vulnerability affecting the AMR-NB codec dissector in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. This vulnerability allows attackers to cause a denial of service condition by providing specially crafted input that triggers a crash in the application.
Critical Impact
Exploitation of this vulnerability can cause Wireshark to crash, resulting in denial of service for network administrators and security analysts relying on the tool for packet capture and analysis.
Affected Products
- Wireshark 4.6.0 to 4.6.4
- Wireshark 4.4.0 to 4.4.14
Discovery Timeline
- 2026-04-30 - CVE CVE-2026-5654 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-5654
Vulnerability Analysis
The vulnerability exists within the AMR-NB (Adaptive Multi-Rate Narrowband) codec dissector component of Wireshark. The AMR-NB codec is commonly used for voice encoding in telecommunications and VoIP applications, making it a frequently encountered protocol in network traffic analysis.
The flaw is classified as CWE-121 (Stack-based Buffer Overflow), indicating that improper bounds checking allows data to be written beyond the allocated stack buffer boundaries. When processing malformed AMR-NB encoded packets, the dissector fails to properly validate input parameters, leading to stack corruption and subsequent application crash.
This vulnerability requires local access with user interaction, meaning an attacker would need to convince a user to open a maliciously crafted capture file or analyze traffic containing the exploit payload.
Root Cause
The root cause is a stack-based buffer overflow (CWE-121) in the AMR-NB codec dissector. The vulnerability occurs when the dissector processes specially crafted packet data without adequate validation of buffer boundaries. The stack overflow condition corrupts the call stack, causing the application to terminate unexpectedly.
Attack Vector
The attack vector is local, requiring user interaction. An attacker can exploit this vulnerability through the following methods:
- Malicious Capture File: Creating a .pcap or .pcapng file containing crafted AMR-NB codec data and distributing it to targets for analysis
- Live Traffic Analysis: In scenarios where the victim is performing live capture on a network the attacker controls, malicious packets could be injected to trigger the crash
- Social Engineering: Sharing capture files through security forums, bug reports, or professional communication channels
The vulnerability affects the availability of the Wireshark application but does not impact confidentiality or integrity of data.
Detection Methods for CVE-2026-5654
Indicators of Compromise
- Unexpected Wireshark application crashes during packet analysis sessions
- Crash dumps or error logs indicating stack corruption in AMR-NB dissector components
- Suspicious .pcap or .pcapng files containing malformed AMR-NB codec frames
Detection Strategies
- Monitor for repeated Wireshark crashes across multiple analyst workstations
- Implement file integrity monitoring on capture files received from external sources
- Deploy endpoint detection solutions that can identify exploitation attempts targeting analysis tools
- Review system event logs for application crash events correlated with Wireshark processes
Monitoring Recommendations
- Enable crash reporting and centralized logging for Wireshark deployments
- Establish baseline metrics for normal Wireshark operation to identify anomalous crash patterns
- Consider sandboxing Wireshark when analyzing capture files from untrusted sources
- Monitor for distribution of suspicious capture files targeting security teams
How to Mitigate CVE-2026-5654
Immediate Actions Required
- Update Wireshark to version 4.6.5 or later (for 4.6.x branch) or 4.4.15 or later (for 4.4.x branch)
- Avoid opening capture files from untrusted or unknown sources until patching is complete
- Consider disabling the AMR-NB dissector if the protocol is not required for your analysis needs
- Implement network segmentation to limit exposure of analyst workstations
Patch Information
Wireshark has released security patches addressing this vulnerability. Users should upgrade to the latest available version in their respective release branch. Detailed information is available in the Wireshark Security Advisory and the GitLab Wireshark Issue.
Workarounds
- Disable the AMR-NB dissector by navigating to Analyze → Enabled Protocols and unchecking the AMR-NB protocol
- Use alternative packet analysis tools for files from untrusted sources until the patch can be applied
- Run Wireshark in a sandboxed environment or virtual machine when analyzing potentially malicious captures
- Implement organizational policies restricting the sources of capture files analysts may open
# Disable AMR-NB dissector via command line
wireshark -o "amr.decode_as_nb:FALSE"
# Run Wireshark with limited protocol dissectors enabled
wireshark --disable-protocol amr_nb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
