CVE-2026-6870 Overview
CVE-2026-6870 is a denial of service vulnerability affecting the GSM RP protocol dissector in Wireshark. The flaw exists in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14, where specially crafted network traffic or capture files can trigger a crash in the GSM RP dissector, leading to application termination and denial of service.
Critical Impact
An attacker can crash Wireshark by providing a malformed GSM RP packet, disrupting network analysis operations and potentially causing loss of capture data.
Affected Products
- Wireshark 4.6.0 to 4.6.4
- Wireshark 4.4.0 to 4.4.14
Discovery Timeline
- 2026-04-30 - CVE CVE-2026-6870 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-6870
Vulnerability Analysis
This vulnerability is classified as CWE-824 (Access of Uninitialized Pointer), which occurs when the GSM RP protocol dissector attempts to access a pointer that has not been properly initialized. The GSM RP (Relay Protocol) dissector is responsible for parsing GSM SMS relay protocol messages captured in network traffic. When processing malformed or unexpected GSM RP packets, the dissector fails to validate pointer initialization before dereferencing, resulting in undefined behavior and application crash.
The local attack vector requires user interaction—specifically, a victim must open a malicious capture file or capture live traffic containing the crafted packets. While the vulnerability does not allow code execution or data exfiltration, it poses significant availability concerns for organizations relying on Wireshark for network forensics and troubleshooting.
Root Cause
The root cause is improper pointer initialization handling within the GSM RP protocol dissector code. When parsing certain GSM RP message structures, the dissector allocates pointer variables but fails to initialize them under specific parsing conditions. Subsequent code paths then attempt to dereference these uninitialized pointers, causing memory access violations and crashing the application. This represents a classic uninitialized pointer vulnerability where defensive programming practices were not consistently applied throughout the dissector's parsing logic.
Attack Vector
The vulnerability requires local access, meaning an attacker must either:
- Convince a user to open a malicious PCAP/PCAPNG capture file containing crafted GSM RP packets
- Inject malicious GSM RP traffic on a network segment being actively captured by the victim's Wireshark instance
The attack does not require authentication and can be triggered through normal user workflows such as opening shared capture files for analysis. While the attack requires user interaction, the barrier is low since network analysts routinely open capture files from various sources.
The vulnerability mechanism involves crafting GSM RP protocol messages with specific field combinations that cause the dissector to skip pointer initialization while still attempting to use those pointers later in the parsing flow. Technical details are available in the Wireshark Security Advisory WNPA-2026-43.
Detection Methods for CVE-2026-6870
Indicators of Compromise
- Unexpected Wireshark process terminations when analyzing capture files containing GSM/mobile network traffic
- Crash reports or core dumps from Wireshark indicating segmentation faults in dissector code
- Presence of unusual PCAP files with GSM RP traffic from untrusted sources
Detection Strategies
- Monitor for repeated Wireshark crashes across analysis workstations, particularly when processing files from external sources
- Implement file integrity monitoring on shared capture file repositories to detect potentially malicious files
- Deploy endpoint detection to alert on Wireshark process crashes with memory access violation signatures
Monitoring Recommendations
- Track Wireshark version deployments across the organization to identify systems running vulnerable versions (4.6.0-4.6.4 and 4.4.0-4.4.14)
- Review crash logs and Windows Event Logs for Wireshark application faults on analyst workstations
- Monitor network traffic to capture servers for unusual GSM RP protocol activity that could indicate exploitation attempts
How to Mitigate CVE-2026-6870
Immediate Actions Required
- Upgrade Wireshark to version 4.6.5 or later for the 4.6.x branch
- Upgrade Wireshark to version 4.4.15 or later for the 4.4.x branch
- Avoid opening capture files from untrusted or unverified sources until patched
- Consider disabling the GSM RP dissector if not required for operational needs
Patch Information
Wireshark has released security updates addressing this vulnerability. Users should upgrade to the latest stable release in their respective version branches. Detailed patch information and the security advisory are available at Wireshark Security Advisory WNPA-2026-43. Additional technical details can be found in the GitLab Wireshark Work Item.
Workarounds
- Disable the GSM RP protocol dissector by navigating to Analyze → Enabled Protocols and unchecking gsm_rp
- Use TShark with protocol filters to exclude GSM RP parsing when analyzing potentially malicious captures
- Implement network segmentation to prevent untrusted traffic from reaching capture interfaces
- Run Wireshark in an isolated environment or sandbox when analyzing capture files from unknown sources
# Disable GSM RP dissector via command line
tshark -o "gsm_rp.enabled:false" -r capture.pcap
# Alternative: Use decode_as to prevent GSM RP parsing
wireshark --disable-protocol gsm_rp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
