Introduction
A heap buffer overflow in Wireshark's TLS dissector puts the very analysts who rely on the tool for network forensics and incident response at risk of denial of service or code execution on their own workstations. Tracked as CVE-2026-5402 with a CVSS 3.1 base score of 8.8, the flaw is rooted in the Encrypted Client Hello (ECH) transcript reconstruction code and can be triggered simply by capturing malicious traffic or opening a crafted packet capture file.
Technical Information
The vulnerability lives in Wireshark's TLS protocol dissector, specifically within the code responsible for reconstructing Encrypted Client Hello (ECH) transcripts. It is classified under CWE-122 (Heap based Buffer Overflow), with additional weakness classifications of CWE-680 (Integer Overflow to Buffer Overflow) and CWE-197 (Numeric Truncation Error).
Root Cause
The core issue is an integer truncation error within the ech_outer_extensions processing loop. When Wireshark attempts to parse a TLS ClientHello packet containing crafted ECH outer extensions, a numeric value is truncated during processing. This truncation causes the dissector to miscalculate a buffer boundary, allowing attacker controlled data to be written past the end of a heap allocated buffer. Security researcher Duc Anh Nguyen confirmed via AddressSanitizer that the resulting overflow is exactly 245 bytes.
The combination of CWE-197 (numeric truncation) feeding into CWE-680 (integer overflow leading to buffer overflow) and ultimately manifesting as CWE-122 (heap based buffer overflow) represents a classic chain where an arithmetic error in size calculation leads to memory corruption.
Attack Flow
Exploitation of this vulnerability does not require authentication or direct access to the victim's system. An attacker can trigger the flaw through two distinct vectors, both of which align closely with everyday analyst workflows:
Vector 1: Malicious Live Traffic
- The attacker crafts a TLS ClientHello packet containing malicious ECH outer extensions designed to trigger the integer truncation.
- The attacker injects this packet onto a network segment being monitored by the target analyst.
- When the analyst's Wireshark instance captures and dissects the packet, the
ech_outer_extensionsprocessing loop encounters the truncation error. - The dissector writes 245 bytes of attacker controlled data past the heap buffer boundary, resulting in a crash or potentially arbitrary code execution.
Vector 2: Crafted Capture File
- The attacker constructs a pcapng (or similar format) capture file containing the malicious TLS ClientHello packet.
- The file is delivered to the target analyst via social engineering, a shared repository, or supply chain compromise.
- When the analyst opens the file in a vulnerable Wireshark version, the same dissector code path is triggered.
- The heap overflow occurs during file parsing, with the same potential outcomes: crash or code execution.
Both vectors are particularly concerning because security analysts routinely capture live traffic from untrusted networks and open capture files from external sources as part of their investigative workflows.
Affected Systems and Versions
The following Wireshark versions are affected by CVE-2026-5402:
| Version | Status |
|---|---|
| Wireshark 4.6.0 through 4.6.4 | Vulnerable |
| Wireshark 4.7.0rc0 (development build) | Vulnerable |
| Wireshark 4.6.5 and later | Not affected (patched) |
| Wireshark 4.4.x and earlier | Not affected |
Versions 4.4.x and earlier are not affected because they do not contain the ECH decryption code where the flaw resides. The vulnerability was introduced alongside the ECH transcript reconstruction feature in the 4.6.x branch.
If an immediate upgrade to 4.6.5 is not feasible, temporarily using the maintained 4.4.x branch for analyzing untrusted captures can serve as a workaround.
Vendor Security History
Wireshark maintains a transparent and active security advisory process. Because the software is designed to parse hundreds of complex and often malformed network protocols, dissector vulnerabilities are a recurring theme. The 4.6.5 release that addresses CVE-2026-5402 also resolves several other security issues:
| Advisory | Protocol | Issue |
|---|---|---|
| wnpa-sec-2026-14 | TLS | Crash and possible code execution (this CVE) |
| wnpa-sec-2026-33 | TLS | Infinite loop |
| wnpa-sec-2026-37 | MySQL | Crash |
| wnpa-sec-2026-44 | WebSocket | Crash |
| wnpa-sec-2026-45 | SMB2 | Crash |
This pattern of bundled security fixes in a single release reflects both the inherent complexity of protocol parsing and the vendor's commitment to addressing reported issues promptly. The project benefits from contributions by over 2000 authors and has been recognized with awards from publications like PC Magazine and InfoWorld.
