CVE-2026-5402

HighPublic PoC

Published: 30 April 2026

Published

30 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5402 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Wireshark Wireshark. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of the heap overflow vulnerability in Wireshark versions 4.6.0-4.6.4 as described in the Wireshark security advisory.

SI-16 Memory Protection good match

prevent

Implements memory protections like ASLR, DEP, and heap canaries to prevent successful code execution from the TLS dissector heap overflow.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify systems running affected Wireshark versions, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The vulnerability is triggered when a user opens a specially crafted packet capture file containing malicious TLS traffic, directly enabling exploitation via T1204.002 Malicious File under User Execution, leading to possible code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code execution

Deeper analysisAI

CVE-2026-5402 is a heap overflow vulnerability (CWE-122) in the TLS protocol dissector affecting Wireshark versions 4.6.0 through 4.6.4. Published on 2026-04-30, this flaw can lead to denial of service and possible code execution, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely with low complexity and no required privileges, but it necessitates user interaction, such as convincing a Wireshark user to open a specially crafted packet capture file containing malicious TLS traffic. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially enabling arbitrary code execution on the affected system.

Wireshark security advisory WNPA-SEC-2026-14 (https://www.wireshark.org/security/wnpa-sec-2026-14.html) and the associated GitLab issue tracker (https://gitlab.com/wireshark/wireshark/-/issues/21090) provide details on mitigation, including patches and recommended actions for affected users.

Details

CWE(s): CWE-122

Affected Products

wireshark

4.6.0 — 4.6.4

CVEs Like This One

CVE-2026-5653Same product: Wireshark Wireshark

CVE-2026-7378Same product: Wireshark Wireshark

CVE-2026-3203Same product: Wireshark Wireshark

CVE-2025-1492Same product: Wireshark Wireshark

CVE-2026-5403Same product: Wireshark Wireshark

CVE-2026-7375Same product: Wireshark Wireshark

CVE-2026-5656Same product: Wireshark Wireshark

CVE-2026-5657Same product: Wireshark Wireshark

CVE-2026-5655Same product: Wireshark Wireshark

CVE-2026-6519Same product: Wireshark Wireshark

References

https://gitlab.com/wireshark/wireshark/-/issues/21090
Exploit, Issue Tracking · cve@gitlab.com
https://www.wireshark.org/security/wnpa-sec-2026-14.html
Vendor Advisory · cve@gitlab.com