Volerion logoVolerion
Volerion logoVolerion

Wireshark HTTP3 Dissector Infinite Loop Vulnerability Allowing Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in Wireshark versions 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12. The issue arises in the HTTP3 protocol dissector, which can enter an infinite loop when processing certain packets, particularly those with large HTTP/2 sessions. This flaw can be exploited by convincing a user to open a crafted packet trace file, leading to excessive CPU usage and causing Wireshark to hang or crash.

Impact

Exploitation of this vulnerability can cause Wireshark to consume excessive CPU resources, leading to a hang or crash of the application.

Reproduction

The vulnerability can be reproduced by opening a packet capture file in Wireshark that contains large HTTP/2 sessions over QUIC. The application will hang after processing a certain number of packets, particularly those that trigger the dissector bug in the HTTP3 protocol.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.3, 4.4.13 or later.

Added: Jan 14, 2026, 9:20 PM
Updated: Jan 14, 2026, 9:20 PM

Vulnerability Rating

Custom Algorithm
spread
7.8
impact
2.5
exploitability
5.6
remediation
7.7
relevance
2.1
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.