Primary

Context

Wireshark HTTP3 Dissector Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Wireshark version 4.2.0, where the HTTP3 dissector crashes when processing malformed QPACK data. This issue can be triggered by injecting problematic packets or by opening a crafted capture file that contains the malformed data.

Impact

Exploitation of this vulnerability leads to a crash of the Wireshark application.

Reproduction

The vulnerability can be reproduced by opening a specific capture file, 'crash_with_keys.pcapng', with Wireshark 4.2.0. The file contains malformed HTTP3 packets that cause the application to crash during QPACK stream processing.

Remediation

Users can upgrade to Wireshark version 4.2.1 or later to address this vulnerability.

Added: May 14, 2026, 6:02 AM

Updated: May 14, 2026, 6:02 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wireshark HTTP3 Dissector Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Wireshark

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating