Wireshark TLS Dissector Heap Overflow (CVE-2026-5402) Enables DoS, RCE
The National Vulnerability Database (NVD) has published details on CVE-2026-5402, a critical heap overflow vulnerability affecting Wireshark versions 4.6.0 through 4.6.4. This flaw resides within the TLS protocol dissector, creating a serious risk for users.
Rated with a CVSSv3.1 score of 8.8 (High), this vulnerability primarily enables denial-of-service (DoS) conditions. However, the NVD warns of possible remote code execution (RCE), which would grant attackers full control over compromised systems. The attacker’s calculus here is straightforward: craft malicious TLS traffic, and when a vulnerable Wireshark instance processes it, trigger the heap overflow.
For defenders, this means network analysis tools designed to secure your environment could become an attack vector. Any organization running these specific Wireshark versions needs to prioritize patching. Attackers are constantly looking for new ways into networks, and exploiting a widely used tool like Wireshark is a high-value target.
What This Means For You
- If your network security teams use Wireshark, check their installations immediately. Any instances running versions 4.6.0 through 4.6.4 are vulnerable to CVE-2026-5402. Patch or upgrade to a fixed version to prevent potential denial of service or remote code execution, especially on systems that handle network captures from untrusted sources.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Wireshark TLS Dissector Heap Overflow Attempt (CVE-2026-5402) - Free Tier
title: Wireshark TLS Dissector Heap Overflow Attempt (CVE-2026-5402) - Free Tier
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
Detects the execution of Wireshark's command-line utility 'tshark' which is often used to trigger dissector vulnerabilities. This rule specifically targets potential exploitation of the CVE-2026-5402 TLS dissector heap overflow by looking for the Wireshark executable being invoked, which is a prerequisite for triggering the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5402/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'wireshark.exe'
CommandLine|contains:
- 'tshark'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5402 | Buffer Overflow | Wireshark TLS protocol dissector heap overflow |
| CVE-2026-5402 | DoS | Wireshark versions 4.6.0 to 4.6.4 |
| CVE-2026-5402 | RCE | Wireshark versions 4.6.0 to 4.6.4 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6521 — Denial of Service
CVE-2026-6521 — OpenFlow v5 protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-6520 — Denial of Service
CVE-2026-6520 — OpenFlow v6 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-6519 — Denial of Service
CVE-2026-6519 — MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service