CVE-2024-4854 – This vulnerability in Wireshark's MONGO and Zig... (How to Fix)

Q: What is the severity of CVE-2024-4854?

CVE-2024-4854 has a CVSS score of 6.4 (MEDIUM). This vulnerability in Wireshark's MONGO and ZigBee TLV dissectors allows attackers to cause infinite loops via specially crafted network packets or capture files, leading to denial of service. Affected users include anyone running vulnerable Wireshark versions for network analysis or packet capture.

📋 TL;DR

This vulnerability in Wireshark's MONGO and ZigBee TLV dissectors allows attackers to cause infinite loops via specially crafted network packets or capture files, leading to denial of service. Affected users include anyone running vulnerable Wireshark versions for network analysis or packet capture.

💻 Affected Systems

Products:

Wireshark

Versions: 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22

Operating Systems: All platforms running Wireshark (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when dissecting MONGO or ZigBee TLV protocol packets, either live or from capture files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Wireshark process crash or system resource exhaustion causing denial of service to network monitoring capabilities.

🟠

Likely Case

Wireshark becomes unresponsive when processing malicious packets, disrupting network analysis activities.

🟢

If Mitigated

Limited impact if Wireshark runs with resource limits or in isolated environments.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing, but could be affected if analyzing internet-sourced traffic.

🏢 Internal Only: MEDIUM - Internal attackers could disrupt network monitoring by injecting malicious packets into monitored networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to inject packets into monitored network or provide malicious capture file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.2.5, 4.0.15, and 3.6.23

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2024-07.html

Restart Required: Yes

Instructions:

1. Download latest version from wireshark.org. 2. Uninstall current version. 3. Install patched version. 4. Restart system or at least Wireshark processes.

🔧 Temporary Workarounds

Disable vulnerable dissectors

all

Prevent Wireshark from parsing MONGO and ZigBee TLV protocols

wireshark -o "uat:user_dlts:\"User 0 (DLT=147)\",\"mongo\",\"\",\"0\",\"\""
wireshark -o "uat:user_dlts:\"User 1 (DLT=230)\",\"zbee_tlv\",\"\",\"0\",\"\""

🧯 If You Can't Patch

Restrict Wireshark to trusted networks only
Implement resource limits on Wireshark processes (CPU/memory limits)

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: Help → About Wireshark on GUI or 'wireshark --version' on CLI

Check Version:

wireshark --version | head -1

Verify Fix Applied:

Confirm version is 4.2.5+, 4.0.15+, or 3.6.23+

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
High CPU usage from Wireshark processes
Repeated Wireshark process restarts

Network Indicators:

Unusual MONGO or ZigBee protocol traffic to monitoring interfaces
Malformed packet patterns targeting dissectors

SIEM Query:

ProcessName="wireshark" AND (EventID=1000 OR CPUUsage>90)

📊 Metadata

CVE ID: CVE-2024-4854

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

CWE: CWE-835

Published: May 14, 2024

Last Updated: November 3, 2025

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/19726 Issue Tracking
https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 Product
https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 Product
https://www.wireshark.org/security/wnpa-sec-2024-07.html Vendor Advisory
https://gitlab.com/wireshark/wireshark/-/issues/19726 Issue Tracking
https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 Product
https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 Product
https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/ Mailing List
https://www.wireshark.org/security/wnpa-sec-2024-07.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4854, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fedora by Fedoraproject

Fedora by Fedoraproject

Wireshark by Wireshark

Wireshark by Wireshark

Wireshark by Wireshark

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable dissectors

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities