Cyber Resilience

CVE-2026-3203

Medium

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3203 is a medium-severity Buffer Over-read (CWE-126) vulnerability in Wireshark Wireshark. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-3203 affects the RF4CE Profile protocol dissector in Wireshark versions 4.6.0 through 4.6.3 and 4.4.0 through 4.4.13. The vulnerability causes a crash in the dissector, enabling a denial of service condition. It is rated with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) and is associated with CWE-126.

The attack requires local access and user interaction, with low complexity and no privileges. An attacker can exploit it by tricking a user into opening a specially crafted packet capture file containing malformed RF4CE Profile traffic using the affected Wireshark versions. Successful exploitation results in a crash of the Wireshark application, leading to high-impact denial of service on availability with no impact on confidentiality or integrity.

Wireshark's security advisory WNPA-SEC-2026-07 at https://www.wireshark.org/security/wnpa-sec-2026-07.html and the related GitLab issue tracker entry at https://gitlab.com/wireshark/wireshark/-/issues/21009 provide further details on the vulnerability. These resources cover the issue discovery and resolution in Wireshark's development process.

EU & UK References

Vulnerability details

RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability triggered by user opening malicious .pcap file (T1204.002) resulting in application crash via buffer over-read exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1492Same product: Wireshark Wireshark
CVE-2026-5657Same product: Wireshark Wireshark
CVE-2026-5655Same product: Wireshark Wireshark
CVE-2026-6519Same product: Wireshark Wireshark
CVE-2026-5653Same product: Wireshark Wireshark
CVE-2026-7375Same product: Wireshark Wireshark
CVE-2026-5654Same product: Wireshark Wireshark
CVE-2026-6520Same product: Wireshark Wireshark
CVE-2026-3201Same product: Wireshark Wireshark
CVE-2026-6868Same product: Wireshark Wireshark

Affected Assets

wireshark
wireshark
4.4.0 — 4.4.14 · 4.6.0 — 4.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the Wireshark patch that fixes the RF4CE dissector crash before a crafted capture file can be opened.

prevent

Limits the protocol dissectors and file-processing features available in Wireshark, reducing the attack surface for malformed RF4CE traffic.

detect

Enables monitoring for abnormal Wireshark process termination or crashes triggered by opening malicious packet captures.

References