CVE-2021-4182 – A vulnerability in Wireshark's RFC 7468 dissect... (How to Fix)

Q: What is the severity of CVE-2021-4182?

CVE-2021-4182 has a CVSS score of 7.5 (HIGH). A vulnerability in Wireshark's RFC 7468 dissector allows attackers to cause a denial of service crash via specially crafted network packets or capture files. This affects Wireshark users analyzing network traffic containing malicious RFC 7468 data. The crash occurs during packet dissection and can disrupt network analysis operations.

📋 TL;DR

A vulnerability in Wireshark's RFC 7468 dissector allows attackers to cause a denial of service crash via specially crafted network packets or capture files. This affects Wireshark users analyzing network traffic containing malicious RFC 7468 data. The crash occurs during packet dissection and can disrupt network analysis operations.

💻 Affected Systems

Products:

Wireshark

Versions: 3.4.0 to 3.4.10, and 3.6.0

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when dissecting RFC 7468 (Textual Encodings of PKIX, PKCS, and CMS Structures) packets or analyzing capture files containing such packets.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where Wireshark crashes repeatedly, preventing network traffic analysis and potentially disrupting monitoring/security operations.

🟠

Likely Case

Wireshark crashes when processing malicious packets or capture files, requiring restart and potentially losing analysis context.

🟢

If Mitigated

No impact if Wireshark is not used to analyze untrusted network traffic or capture files.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool used internally.

🏢 Internal Only: MEDIUM - Internal users could be affected if analyzing malicious traffic or files, but requires specific conditions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to inject malicious packets into network traffic being analyzed or provide a crafted capture file. The vulnerability is in the dissector itself, not requiring authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.11 and 3.6.1

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2021-02.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark version from wireshark.org. 2. Uninstall current version. 3. Install patched version. 4. Restart system to ensure clean state.

🔧 Temporary Workarounds

Disable RFC 7468 dissector

all

Prevent Wireshark from parsing RFC 7468 packets by disabling the dissector

Edit -> Preferences -> Protocols -> RFC 7468 -> Uncheck 'Enable RFC 7468 dissection'

Use capture filters

all

Filter out RFC 7468 traffic from being captured/analyzed

Use capture filter: not port 443 or customize based on your environment

🧯 If You Can't Patch

Restrict Wireshark use to trusted networks and capture files only
Implement network segmentation to prevent untrusted traffic from reaching Wireshark systems

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help -> About Wireshark. If version is 3.4.0-3.4.10 or 3.6.0, you are vulnerable.

Check Version:

wireshark --version (Linux/macOS) or check About dialog (Windows)

Verify Fix Applied:

Verify version is 3.4.11 or higher, or 3.6.1 or higher. Test with known malicious capture files if available.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs, application error events in system logs

Network Indicators:

Unexpected RFC 7468 traffic patterns, packet injection attempts

SIEM Query:

EventID: 1000 Application Error for wireshark.exe OR Process Name: wireshark AND Termination Reason: Crash

📊 Metadata

CVE ID: CVE-2021-4182

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: December 30, 2021

Last Updated: November 3, 2025

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4182.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17801 Exploit,Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-20.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4182.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17801 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-20.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4182, you might also want to check these: