Wireshark Path Traversal (CVE-2026-5656) Allows RCE
The National Vulnerability Database has disclosed CVE-2026-5656, a profile import path traversal vulnerability affecting Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. This flaw, rated with a CVSS score of 7 (HIGH), presents a significant risk, potentially leading to denial of service (DoS) and even remote code execution (RCE).
The core issue lies in how Wireshark handles profile imports, specifically a CWE-22 path traversal weakness. An attacker could craft a malicious profile that, when imported by a user, manipulates file paths to overwrite critical system files or execute arbitrary code. This isn’t just about crashing Wireshark; it’s about an attacker gaining a foothold.
For defenders, this is a clear call to action. Wireshark is a ubiquitous tool in security operations, used for network analysis, incident response, and vulnerability research. Its widespread use means a successful exploit could compromise analyst workstations, turning a critical security tool into an entry point for adversaries. Patching immediately is non-negotiable.
What This Means For You
- If your security team uses Wireshark, check your installations for versions 4.6.0-4.6.4 and 4.4.0-4.4.14. Prioritize patching to a non-vulnerable version immediately to prevent potential denial of service or, critically, remote code execution on analyst machines.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Wireshark Profile Import Path Traversal - CVE-2026-5656
title: Wireshark Profile Import Path Traversal - CVE-2026-5656
id: scw-2026-05-01-ai-1
status: experimental
level: high
description: |
Detects the specific command line pattern used to trigger the path traversal vulnerability in Wireshark (CVE-2026-5656) when importing a profile, which can lead to denial of service or remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5656/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'wireshark.exe'
CommandLine|contains:
- 'import profile'
CommandLine|contains:
- '../'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5656 | Path Traversal | Wireshark versions 4.6.0 to 4.6.4 |
| CVE-2026-5656 | Path Traversal | Wireshark versions 4.4.0 to 4.4.14 |
| CVE-2026-5656 | DoS | Profile import path traversal in Wireshark |
| CVE-2026-5656 | Code Execution | Profile import path traversal in Wireshark |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7545: SourceCodester School Management SQLi Exposes Data
CVE-2026-7545 — A weakness has been identified in SourceCodester Advanced School Management System 1.0. The affected element is an unknown function of the file commonController.php...
Totolink A8000RU Critical OS Command Injection (CVE-2026-7538)
CVE-2026-7538 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function Vulnerability of the file /cgi-bin/cstecgi.cgi of the component CGI Handler....
CVE-2026-7536 — The Function Bsf_sess_add_by_ip_address Of The File /Nbsf-Ma Denial of Service
CVE-2026-7536 — A vulnerability was determined in Open5GS up to 2.7.7. This vulnerability affects the function bsf_sess_add_by_ip_address of the file /nbsf-management/v1/pcfBindings of the component BSF....