Cyber Posture

CVE-2026-5403

HighPublic PoC

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5403 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Wireshark Wireshark. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely patching and remediation of the heap-based buffer overflow vulnerability in Wireshark's SBC codec dissector as advised in WNPA-SEC-2026-16.

SI-16 Memory Protection good match
prevent

Provides memory protections like ASLR and DEP to mitigate exploitation of heap-based buffer overflows leading to denial of service or code execution.

SI-10 Information Input Validation partial match
prevent

Mandates validation of packet capture file inputs to Wireshark dissectors, addressing the root cause of buffer overflows from malformed SBC codec data.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The heap-based buffer overflow vulnerability in the Wireshark SBC codec dissector enables code execution (or DoS) when a user opens a malicious packet capture file, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution

Deeper analysisAI

CVE-2026-5403 affects the SBC codec dissector in Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability causes a crash due to heap-based buffer overflows (CWE-122 and CWE-787), enabling denial of service and possible code execution. Published on 2026-05-01, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker with local access can exploit this vulnerability with low complexity and no required privileges, but it necessitates user interaction, such as convincing a Wireshark user to open a malicious packet capture file. Successful exploitation leads to denial of service through application crashes or potential code execution, resulting in high impacts to confidentiality, integrity, and availability on the local system.

For mitigation guidance and patches, refer to the Wireshark security advisory WNPA-SEC-2026-16 at https://www.wireshark.org/security/wnpa-sec-2026-16.html and the related GitLab issue tracker at https://gitlab.com/wireshark/wireshark/-/issues/21103.

Details

CWE(s)
CWE-122CWE-787

Affected Products

wireshark
wireshark
4.4.0 — 4.4.15 · 4.6.0 — 4.6.5

CVEs Like This One

CVE-2026-5405Same product: Wireshark Wireshark
CVE-2026-5402Same product: Wireshark Wireshark
CVE-2026-7378Same product: Wireshark Wireshark
CVE-2026-5656Same product: Wireshark Wireshark
CVE-2026-5653Same product: Wireshark Wireshark
CVE-2026-6520Same product: Wireshark Wireshark
CVE-2026-3203Same product: Wireshark Wireshark
CVE-2025-1492Same product: Wireshark Wireshark
CVE-2026-3202Same product: Wireshark Wireshark
CVE-2026-7375Same product: Wireshark Wireshark

References