Wireshark CVE-2026-5403: SBC Codec Crash Allows DoS and RCE

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-122
Wireshark CVE-2026-5403: SBC Codec Crash Allows DoS and RCE

The National Vulnerability Database has disclosed CVE-2026-5403, a high-severity vulnerability affecting Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. This flaw, rooted in a SBC codec crash, carries a CVSS score of 7.8 and is categorized under CWE-122 (Heap-based Buffer Overflow).

This vulnerability allows for denial-of-service (DoS) conditions and potentially remote code execution (RCE). An attacker could craft malicious network traffic or a capture file that, when processed by an unpatched Wireshark instance, triggers the crash. While the CVSS vector indicates user interaction is required (UI:R), this could be as simple as opening a rogue capture file or passively sniffing a manipulated network.

For defenders, this means any analyst or incident responder using affected Wireshark versions in operational environments is at risk. Compromise of a forensic workstation or a network analysis machine could provide an attacker with a foothold into critical investigation infrastructure. Patching is paramount, and isolating Wireshark usage to trusted networks or sandboxed environments is a prudent defensive measure.

What This Means For You

  • If your security operations or incident response teams use Wireshark, immediately identify all installations running versions 4.6.0 to 4.6.4 or 4.4.0 to 4.4.14. Prioritize patching to a non-vulnerable version to prevent DoS and potential RCE on critical analysis workstations. Do not open untrusted capture files on unpatched systems.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1203 Exploitation for Client Execution Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1203 Exploitation for Client Execution

Wireshark SBC Codec DoS/RCE Attempt - CVE-2026-5403

Sigma YAML — free preview 
title: Wireshark SBC Codec DoS/RCE Attempt - CVE-2026-5403
id: scw-2026-05-01-ai-1
status: experimental
level: high
description: |
  Detects the execution of Wireshark with a command line argument indicative of the SBC codec crash vulnerability (CVE-2026-5403). This specific payload string is a placeholder for a known malicious input that triggers the vulnerability, leading to a DoS or potential RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5403/
tags:
  - attack.exploitation_for_client_execution
  - attack.t1203
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'wireshark.exe'
      CommandLine|contains:
          - 'sbc_codec_crash_payload_string'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5403 DoS Wireshark versions 4.6.0 to 4.6.4
CVE-2026-5403 DoS Wireshark versions 4.4.0 to 4.4.14
CVE-2026-5403 RCE Wireshark versions 4.6.0 to 4.6.4
CVE-2026-5403 RCE Wireshark versions 4.4.0 to 4.4.14
CVE-2026-5403 Memory Corruption SBC codec crash in Wireshark

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7545: SourceCodester School Management SQLi Exposes Data

CVE-2026-7545 — A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma

Totolink A8000RU Critical OS Command Injection (CVE-2026-7538)

CVE-2026-7538 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 5 Sigma

CVE-2026-7536 — The Function Bsf_sess_add_by_ip_address Of The File /Nbsf-Ma Denial of Service

CVE-2026-7536 — A vulnerability was determined in Open5GS up to 2.7.7. This vulnerability affects the function bsf_sess_add_by_ip_address of the file /nbsf-management/v1/pcfBindings of the component BSF....

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 1 Sigma