CVE-2025-11626 – This vulnerability in Wireshark's MONGO dissect... (How to Fix)

Q: What is the severity of CVE-2025-11626?

CVE-2025-11626 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Wireshark's MONGO dissector causes an infinite loop when processing specially crafted network packets, leading to denial of service. It affects Wireshark versions 4.4.0-4.4.9 and 4.2.0-4.2.13. Users who analyze MongoDB network traffic with vulnerable Wireshark versions are at risk.

📋 TL;DR

This vulnerability in Wireshark's MONGO dissector causes an infinite loop when processing specially crafted network packets, leading to denial of service. It affects Wireshark versions 4.4.0-4.4.9 and 4.2.0-4.2.13. Users who analyze MongoDB network traffic with vulnerable Wireshark versions are at risk.

💻 Affected Systems

Products:

Wireshark

Versions: 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13

Operating Systems: All platforms running Wireshark (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when analyzing MongoDB network traffic; all default configurations are vulnerable if processing affected packet types.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes or becomes unresponsive, disrupting network analysis operations and potentially causing system instability if running with high privileges.

🟠

Likely Case

Wireshark application hangs or crashes when processing malicious MongoDB packets, requiring manual termination and restart.

🟢

If Mitigated

Minimal impact with proper network segmentation and limited exposure to untrusted traffic.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's an analysis tool used on internal networks.

🏢 Internal Only: MEDIUM - Internal users analyzing potentially malicious traffic could experience service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to inject malicious packets into network traffic being analyzed; exploitation depends on network position and traffic capture.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.4.10 or 4.2.14

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2025-04.html

Restart Required: No

Instructions:

1. Download latest version from wireshark.org 2. Install over existing version 3. Verify installation with 'wireshark -v'

🔧 Temporary Workarounds

Disable MONGO dissector

all

Prevent Wireshark from parsing MongoDB traffic by disabling the dissector

Edit preferences -> Protocols -> MONGO -> Uncheck 'Enable MONGO protocol'

🧯 If You Can't Patch

Restrict Wireshark use to trusted networks only
Implement network segmentation to limit exposure to untrusted MongoDB traffic

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: if between 4.4.0-4.4.9 or 4.2.0-4.2.13, you are vulnerable

Check Version:

wireshark -v

Verify Fix Applied:

Verify version is 4.4.10+ or 4.2.14+ and test with sample MongoDB traffic

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs
Application hang events in system logs

Network Indicators:

Unusual MongoDB packet patterns targeting analysis systems

SIEM Query:

source="wireshark" AND (event="crash" OR event="hang")

📊 Metadata

CVE ID: CVE-2025-11626

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.02% exploit probability (5.4th percentile)

Published: October 10, 2025

Last Updated: December 3, 2025

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20724 Issue Tracking,Vendor Advisory
https://www.wireshark.org/security/wnpa-sec-2025-04.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11626, you might also want to check these: