CVE-2026-3201 – A memory exhaustion vulnerability in Wireshark'... (How to Fix)

📋 TL;DR

A memory exhaustion vulnerability in Wireshark's USB HID protocol dissector allows attackers to cause denial of service by sending specially crafted packets. This affects Wireshark users analyzing USB traffic in versions 4.6.0-4.6.3 and 4.4.0-4.4.13. The vulnerability can crash Wireshark but does not allow code execution.

💻 Affected Systems

Products:

Wireshark

Versions: 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13

Operating Systems: Windows, Linux, macOS, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when analyzing USB traffic containing HID protocol data; other protocol analysis is unaffected.

📦 What is this software?

Wireshark by Wireshark

View all CVEs affecting Wireshark →

Wireshark by Wireshark

View all CVEs affecting Wireshark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Wireshark crashes repeatedly when analyzing malicious USB traffic, preventing network analysis and potentially disrupting monitoring operations.

🟠

Likely Case

Wireshark crashes when processing specially crafted USB packets, requiring restart and potentially losing unsaved capture data.

🟢

If Mitigated

Wireshark crashes but no data exfiltration or system compromise occurs; only the application is affected.

🌐 Internet-Facing: LOW - Wireshark is typically not internet-facing; it's a network analysis tool used internally.

🏢 Internal Only: MEDIUM - Internal attackers could disrupt network monitoring operations by sending malicious USB traffic to monitored systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending specially crafted USB packets to monitored network segment.

Exploitation requires the attacker to have network access to send USB traffic that will be captured and analyzed by Wireshark.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Wireshark 4.6.4 and 4.4.14

Vendor Advisory: https://www.wireshark.org/security/wnpa-sec-2026-05.html

Restart Required: Yes

Instructions:

1. Download latest Wireshark from wireshark.org/download.html
2. Run installer (Windows) or package manager update (Linux/macOS)
3. Restart Wireshark after installation
4. Verify version with 'wireshark -v' command

🔧 Temporary Workarounds

Disable USB HID protocol dissector

all

Temporarily disable the vulnerable protocol dissector to prevent crashes

wireshark -o usb.protocols.hid.enabled:FALSE

Filter USB traffic

all

Use capture filters to exclude USB traffic from analysis

tshark -f "not usb"

🧯 If You Can't Patch

Restrict network access to prevent malicious USB traffic from reaching monitored segments
Use alternative network analysis tools temporarily until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check Wireshark version: if between 4.6.0-4.6.3 or 4.4.0-4.4.13, you are vulnerable.

Check Version:

wireshark -v

Verify Fix Applied:

Verify version is 4.6.4 or higher, or 4.4.14 or higher using 'wireshark -v' command.

📡 Detection & Monitoring

Log Indicators:

Wireshark crash logs with segmentation fault or memory errors
Application event logs showing Wireshark unexpected termination

Network Indicators:

Unusual USB traffic patterns targeting monitored segments
Repeated USB protocol packets from single sources

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="wireshark.exe" OR "tshark" AND Keywords="Crash"

📊 Metadata

CVE ID: CVE-2026-3201

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-1325

Published: February 25, 2026

Last Updated: February 26, 2026

🔗 References

https://gitlab.com/wireshark/wireshark/-/issues/20972 Exploit,Issue Tracking,Third Party Advisory
https://www.wireshark.org/security/wnpa-sec-2026-05.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3201, you might also want to check these: