CVE-2021-4184 – This vulnerability in Wireshark's BitTorrent DH... (How to Fix)

Q: What is the severity of CVE-2021-4184?

CVE-2021-4184 has a CVSS score of 7.5 (HIGH). This vulnerability in Wireshark's BitTorrent DHT dissector allows attackers to cause a denial of service (DoS) by triggering an infinite loop. Attackers can exploit this via packet injection on the network or by providing a malicious capture file. Users running affected Wireshark versions are vulnerable when analyzing network traffic.

📋 TL;DR

This vulnerability in Wireshark's BitTorrent DHT dissector allows attackers to cause a denial of service (DoS) by triggering an infinite loop. Attackers can exploit this via packet injection on the network or by providing a malicious capture file. Users running affected Wireshark versions are vulnerable when analyzing network traffic.

💻 Affected Systems

Products:

Wireshark

Versions: 3.6.0 and 3.4.0 through 3.4.10

Operating Systems: All platforms running affected Wireshark versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the BitTorrent DHT dissector which is enabled by default. Only affects Wireshark when analyzing traffic containing BitTorrent DHT packets or when opening malicious capture files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Wireshark crash and system resource exhaustion, potentially affecting the entire system if Wireshark runs with high privileges or consumes all CPU/memory.

🟠

Likely Case

Wireshark becomes unresponsive and crashes, disrupting network analysis activities and potentially losing unsaved capture data.

🟢

If Mitigated

Limited to Wireshark application crash without system-wide impact if running with limited privileges and proper resource constraints.

🌐 Internet-Facing: MEDIUM - Attackers could inject malicious packets into networks where Wireshark is monitoring traffic, but requires specific network positioning.

🏢 Internal Only: MEDIUM - Malicious capture files could be shared internally, but requires user interaction to open the file in Wireshark.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires either network packet injection capability or convincing a user to open a malicious capture file. The infinite loop condition is easily triggered with crafted packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 3.4.11 and 3.6.1

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2021-04.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark version from wireshark.org. 2. Uninstall current version. 3. Install patched version. 4. Restart system to ensure clean state.

🔧 Temporary Workarounds

Disable BitTorrent DHT dissector

all

Prevent Wireshark from processing BitTorrent DHT packets by disabling the dissector

wireshark -X lua_script:disable_dissector.lua
Create disable_dissector.lua with: DissectorTable.get("bt-dht"):remove("bt-dht")

Use packet filtering

linux

Filter out BitTorrent DHT traffic before it reaches Wireshark

tcpdump not port 6881 -w capture.pcap
Configure firewall to block UDP port 6881

🧯 If You Can't Patch

Restrict Wireshark to trusted users only and limit file opening to verified sources
Run Wireshark with limited privileges and resource constraints (ulimit -c, ulimit -v)

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help → About Wireshark. If version is 3.6.0 or between 3.4.0-3.4.10, you are vulnerable.

Check Version:

wireshark --version | head -1

Verify Fix Applied:

Verify version is 3.4.11 or higher, or 3.6.1 or higher. Test with known malicious capture files if available.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
High CPU usage by Wireshark process
Application error events in system logs

Network Indicators:

Unusual BitTorrent DHT packets on network
Malformed UDP packets on port 6881

SIEM Query:

process_name:"wireshark.exe" AND (event_type:crash OR cpu_usage:>90)

📊 Metadata

CVE ID: CVE-2021-4184

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: December 30, 2021

Last Updated: November 3, 2025

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4184.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17754 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00041.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-18.html Vendor Advisory
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4184.json Third Party Advisory
https://gitlab.com/wireshark/wireshark/-/issues/17754 Exploit,Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00041.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ/
https://security.gentoo.org/glsa/202210-04 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2021-18.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4184, you might also want to check these: