CVE-2026-3203
Published: 25 February 2026
Summary
CVE-2026-3203 is a medium-severity Buffer Over-read (CWE-126) vulnerability in Wireshark Wireshark. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-3203 affects the RF4CE Profile protocol dissector in Wireshark versions 4.6.0 through 4.6.3 and 4.4.0 through 4.4.13. The vulnerability causes a crash in the dissector, enabling a denial of service condition. It is rated with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) and is associated with CWE-126.
The attack requires local access and user interaction, with low complexity and no privileges. An attacker can exploit it by tricking a user into opening a specially crafted packet capture file containing malformed RF4CE Profile traffic using the affected Wireshark versions. Successful exploitation results in a crash of the Wireshark application, leading to high-impact denial of service on availability with no impact on confidentiality or integrity.
Wireshark's security advisory WNPA-SEC-2026-07 at https://www.wireshark.org/security/wnpa-sec-2026-07.html and the related GitLab issue tracker entry at https://gitlab.com/wireshark/wireshark/-/issues/21009 provide further details on the vulnerability. These resources cover the issue discovery and resolution in Wireshark's development process.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8662
Vulnerability details
RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability triggered by user opening malicious .pcap file (T1204.002) resulting in application crash via buffer over-read exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the Wireshark patch that fixes the RF4CE dissector crash before a crafted capture file can be opened.
Limits the protocol dissectors and file-processing features available in Wireshark, reducing the attack surface for malformed RF4CE traffic.
Enables monitoring for abnormal Wireshark process termination or crashes triggered by opening malicious packet captures.