Wireshark HTTP Protocol Dissector Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. The issue arises in the HTTP protocol dissector, which can crash when handling certain packets. This crash is triggered by a stack buffer overflow, caused by the HTTP dissector being called through an X.25 conversation path, rather than the expected TCP path. As a result, the dissector accesses invalid, uninitialized memory, leading to a buffer overflow and application crash.

Impact

Exploitation of this vulnerability causes Wireshark to crash, terminating the application and disrupting any ongoing packet analysis.

Reproduction

The vulnerability can be reproduced by using TShark, Wireshark's command-line version, to read a packet capture file (PCAPNG) that contains malformed packets. This can be done by injecting such packets onto the network or by convincing a user to open a PCAP file that includes them. The 'ip.defragment' and 'tcp.desegment_tcp_streams' options should be disabled to facilitate the crash.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.