CVE-2026-6523 Overview
CVE-2026-6523 is an infinite loop vulnerability in the GNW protocol dissector shipped with Wireshark. The flaw affects Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. An attacker can trigger sustained CPU exhaustion by convincing a user to open a crafted capture file or by injecting malformed GNW traffic onto a monitored interface. The vulnerability is tracked under CWE-835: Loop with Unreachable Exit Condition and results in denial of service against the Wireshark process. No code execution or information disclosure is possible through this issue.
Critical Impact
Wireshark hangs or consumes all available CPU when processing a malformed GNW packet, disrupting analyst workflows and incident response activities.
Affected Products
- Wireshark 4.6.0 through 4.6.4
- Wireshark 4.4.0 through 4.4.14
- Deployments using tshark or dumpcap with the same dissector library
Discovery Timeline
- 2026-04-30 - CVE-2026-6523 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-6523
Vulnerability Analysis
The defect resides in the GNW protocol dissector inside the Wireshark dissection engine. When the dissector parses a malformed GNW protocol data unit, it enters a loop whose exit condition is never satisfied. The thread responsible for packet dissection spins indefinitely, blocking the user interface and preventing further capture processing. Because dissectors run during both live capture and offline file analysis, a single crafted packet is sufficient to disrupt an analyst session. The issue requires user interaction, such as opening a capture file or starting a live capture on an interface where the attacker can place traffic.
Root Cause
The root cause is improper loop termination logic during length or offset handling in the GNW dissector. The dissector advances through fields based on values supplied inside the packet itself. When attacker-controlled values do not increase the cursor, the parser revisits the same bytes repeatedly. Wireshark security advisory wnpa-sec-2026-38 and the upstream tracker entry GitLab work item 21177 describe the fix.
Attack Vector
Exploitation requires local user interaction. An attacker delivers a crafted .pcap or .pcapng file by email, chat, or shared storage and waits for the analyst to open it. Alternatively, an attacker on a monitored network segment can transmit malformed GNW frames during a live capture. Once the dissector reaches the offending packet, the Wireshark process consumes CPU and stops producing output. The vulnerability does not yield code execution, privilege escalation, or data exposure.
Detection Methods for CVE-2026-6523
Indicators of Compromise
- Wireshark, tshark, or dumpcap processes sustaining near 100% CPU utilization on a single core while parsing a capture file.
- Capture sessions that stall after a specific packet number when GNW traffic is present.
- Unsolicited .pcap or .pcapng files arriving through email or messaging platforms targeting analysts.
Detection Strategies
- Inventory analyst workstations running Wireshark versions in the affected ranges using software asset management telemetry.
- Alert on wireshark.exe, tshark, or dumpcap processes that exceed CPU thresholds for longer than expected dissection windows.
- Inspect shared capture repositories for files containing GNW protocol frames with anomalous length fields.
Monitoring Recommendations
- Track Wireshark version strings across endpoints and flag installs older than 4.6.5 or 4.4.15.
- Forward process performance metrics from analyst hosts to a central log platform for correlation against capture activity.
- Review email and file-transfer gateways for inbound packet captures from untrusted senders.
How to Mitigate CVE-2026-6523
Immediate Actions Required
- Upgrade Wireshark to a fixed release listed in wnpa-sec-2026-38 on all analyst workstations and forensic appliances.
- Instruct analysts not to open capture files received from untrusted sources until the upgrade is complete.
- Terminate any hung Wireshark sessions and capture the offending file for offline analysis on a patched host.
Patch Information
The Wireshark Foundation has published fixes in releases later than 4.6.4 and 4.4.14. Refer to the Wireshark Security Advisory 2026-38 for the exact patched versions and to the GitLab Wireshark Work Item 21177 for the upstream change details.
Workarounds
- Disable the GNW dissector through Analyze > Enabled Protocols until the host can be upgraded.
- Use tshark with --disable-protocol gnw when processing capture files from low-trust sources.
- Run dissection of unknown captures inside an isolated virtual machine that can be reset if the process hangs.
# Disable the GNW dissector from the command line
tshark -r suspicious.pcapng --disable-protocol gnw -V
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
