Cyber Resilience

CVE-2026-5653

MediumPublic PoC

Published: 30 April 2026

Published
30 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0003 9.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5653 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Wireshark Wireshark. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-5653 is a vulnerability in the DCP-ETSI protocol dissector within Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. It causes a crash that enables denial of service, stemming from CWE-122. The issue was published on 2026-04-30 and carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

An attacker with local access can exploit this vulnerability by tricking a user into opening a specially crafted packet capture file in Wireshark. No privileges are required, but user interaction is necessary, and the attack has low complexity. Successful exploitation results in a denial of service through application crash, with no impact on confidentiality or integrity.

Wireshark's security advisory WNPA-SEC-2026-22, along with related GitLab issues and work items, provides details on the flaw. Security practitioners should consult these references for patch information and mitigation guidance.

EU & UK References

Vulnerability details

DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in Wireshark file parser causes crash on crafted PCAP (CWE-122), directly enabling malicious file delivery for user execution (T1204.002) and application exploitation for endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7378Same product: Wireshark Wireshark
CVE-2026-5402Same product: Wireshark Wireshark
CVE-2025-1492Same product: Wireshark Wireshark
CVE-2026-5657Same product: Wireshark Wireshark
CVE-2026-6868Same product: Wireshark Wireshark
CVE-2026-7375Same product: Wireshark Wireshark
CVE-2026-6520Same product: Wireshark Wireshark
CVE-2026-5654Same product: Wireshark Wireshark
CVE-2026-3203Same product: Wireshark Wireshark
CVE-2026-5655Same product: Wireshark Wireshark

Affected Assets

wireshark
wireshark
4.4.0 — 4.4.14 · 4.6.0 — 4.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the buffer error (CWE-122) in Wireshark's DCP-ETSI dissector by requiring timely patching of affected versions to prevent DoS crashes from crafted pcap files.

detect

Enables detection of the vulnerability in deployed Wireshark instances through vulnerability scanning of applications and systems.

detect

Provides awareness of Wireshark advisories like WNPA-SEC-2026-22 to prompt remediation of the DoS vulnerability.

References