CVE-2026-5405
Published: 01 May 2026
Summary
CVE-2026-5405 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Wireshark Wireshark. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, prioritization, and correction of flaws like the heap-based buffer overflow in Wireshark's RDP dissector via vendor patches.
Requires monitoring and dissemination of security advisories such as Wireshark's WNPA-SEC bulletin for CVE-2026-5405 to enable rapid flaw remediation.
Vulnerability scanning identifies deployments of affected Wireshark versions vulnerable to RDP dissector crashes and potential code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a buffer overflow in Wireshark (client application) RDP dissector, directly exploited by tricking a user into opening a malicious pcap file, enabling client-side code execution or DoS as described in T1203 Exploitation for Client Execution.
NVD Description
RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution
Deeper analysisAI
CVE-2026-5405 is a vulnerability in the RDP protocol dissector within Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. It stems from heap-based buffer overflow and out-of-bounds write issues (CWE-122 and CWE-787), which can cause a crash in the dissector. Published on 2026-05-01, the flaw has a CVSS v3.1 base score of 7.8.
An attacker with local access can exploit this vulnerability by tricking a user into opening a malicious packet capture file containing crafted RDP traffic using the affected Wireshark versions. The attack requires low complexity and user interaction but no privileges. Successful exploitation leads to denial of service via application crash, with potential for code execution, resulting in high impacts to confidentiality, integrity, and availability.
Wireshark advisories detail the issue and mitigation steps, available at https://www.wireshark.org/security/wnpa-sec-2026-17.html, https://gitlab.com/wireshark/wireshark/-/issues/21105, and https://gitlab.com/wireshark/wireshark/-/work_items/21105. Users should update to patched versions beyond the affected ranges to resolve the vulnerability.
Details
- CWE(s)