Wireshark RDP Dissector Crash (CVE-2026-5405) Allows DoS, Potential RCE

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-122
Wireshark RDP Dissector Crash (CVE-2026-5405) Allows DoS, Potential RCE

The National Vulnerability Database has issued an advisory for CVE-2026-5405, detailing a critical vulnerability in Wireshark’s RDP protocol dissector. This flaw, present in versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14, could lead to a denial of service (DoS) and potentially remote code execution (RCE). The vulnerability stems from a crash in the RDP dissector, indicating a memory corruption issue likely related to improper handling of malformed RDP traffic.

Rated with a CVSS score of 7.8 (HIGH), this vulnerability has significant implications for analysts and security teams who rely on Wireshark for network traffic analysis. An attacker could craft malicious RDP traffic that, when analyzed by a vulnerable Wireshark instance, could crash the application. The “possible code execution” aspect is particularly concerning; it suggests that with further exploitation, an attacker might achieve arbitrary code execution on the analyst’s workstation, turning a passive analysis tool into an active attack vector.

Defenders must understand the attacker’s calculus here: targeting the tools used by security professionals is a high-value objective. If an attacker can compromise an analyst’s machine, they gain a foothold into internal networks or access to sensitive intelligence. Organizations should prioritize patching Wireshark instances immediately. If patching isn’t feasible, consider isolating Wireshark analysis environments and ensuring they are not exposed to untrusted network segments or unvalidated capture files.

What This Means For You

  • If your security team uses Wireshark, specifically versions 4.6.0-4.6.4 or 4.4.0-4.4.14, you are exposed. Patch immediately to mitigate CVE-2026-5405. An attacker could craft malicious RDP traffic to crash your analysis tools or, worse, gain code execution on your analyst workstations. This isn't just a DoS; it's a potential pivot point for an attacker into your internal network.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1200 Hardware Additions Privilege Escalation

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1200 Defense Evasion

Wireshark RDP Dissector Crash DoS Attempt - CVE-2026-5405

Sigma YAML — free preview 
title: Wireshark RDP Dissector Crash DoS Attempt - CVE-2026-5405
id: scw-2026-05-01-ai-1
status: experimental
level: high
description: |
  Detects attempts to launch Wireshark with RDP capture files or RDP-related arguments via command line, which could be an indicator of exploiting CVE-2026-5405 to trigger the RDP dissector crash for DoS or potential RCE. This rule focuses on the execution path likely used by an attacker to trigger the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-5405/
tags:
  - attack.defense_evasion
  - attack.t1200
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'wireshark.exe'
      CommandLine|contains:
          - '-r'
          - '.pcap'
      ParentImage|contains:
          - 'cmd.exe'
          - 'powershell.exe'
  selection_2:
      Image|contains:
          - 'wireshark.exe'
      CommandLine|contains:
          - 'rdp'
      ParentImage|contains:
          - 'cmd.exe'
          - 'powershell.exe'
  condition: selection OR selection_2
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-5405 DoS Wireshark 4.6.0 to 4.6.4 - RDP protocol dissector crash
CVE-2026-5405 DoS Wireshark 4.4.0 to 4.4.14 - RDP protocol dissector crash
CVE-2026-5405 Code Execution Wireshark 4.6.0 to 4.6.4 - RDP protocol dissector crash
CVE-2026-5405 Code Execution Wireshark 4.4.0 to 4.4.14 - RDP protocol dissector crash

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7545: SourceCodester School Management SQLi Exposes Data

CVE-2026-7545 — A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma

Totolink A8000RU Critical OS Command Injection (CVE-2026-7538)

CVE-2026-7538 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 5 Sigma

CVE-2026-7536 — The Function Bsf_sess_add_by_ip_address Of The File /Nbsf-Ma Denial of Service

CVE-2026-7536 — A vulnerability was determined in Open5GS up to 2.7.7. This vulnerability affects the function bsf_sess_add_by_ip_address of the file /nbsf-management/v1/pcfBindings of the component BSF....

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 1 Sigma