CVE-2026-5654

MediumPublic PoC

Published: 30 April 2026

Published

30 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Score 0.0002 5.8th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5654 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Wireshark Wireshark. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-5654 by requiring timely installation of Wireshark patches that fix the AMR-NB codec stack buffer overflow.

SI-5 Security Alerts, Advisories, and Directives good match

detect

Requires monitoring and dissemination of security advisories like Wireshark's WNPA-SEC-2026-18 to identify and address the vulnerable AMR-NB codec versions.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables scanning for CVE-2026-5654 to identify systems running affected Wireshark versions 4.6.0-4.6.4 or 4.4.0-4.4.14.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability triggered by opening malicious capture file with crafted AMR-NB data (T1204.002) leading to application crash via stack buffer overflow exploitation for DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AMR-NB codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

Deeper analysisAI

CVE-2026-5654 is a vulnerability in the AMR-NB codec implementation within Wireshark, affecting versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The flaw, classified under CWE-121 (stack-based buffer overflow), triggers a crash when processing malformed AMR-NB audio data, resulting in a denial-of-service condition. Published on April 30, 2026, it carries a CVSS v3.1 base score of 5.5, reflecting medium severity due to its local attack vector and high availability impact.

Exploitation requires local access to the target system with no privileges (PR:N), low complexity (AC:L), and user interaction (UI:R), such as convincing a user to open a malicious capture file containing crafted AMR-NB data in Wireshark. Successful exploitation causes the application to crash, disrupting network analysis workflows but with no impact on confidentiality or integrity (C:N/I:N), limited to the unsynchronized scope (S:U), and high availability disruption (A:H).

Wireshark's security advisory WNPA-SEC-2026-18 and related GitLab issues (21111) detail the issue and recommend mitigation through updating to patched versions beyond the affected ranges. Practitioners should consult these resources for specific fixed releases and verify installations to prevent crashes from malformed files.

Details

CWE(s): CWE-121

Affected Products

wireshark

4.4.0 — 4.4.14 · 4.6.0 — 4.6.4

CVEs Like This One

CVE-2026-6868Same product: Wireshark Wireshark

CVE-2026-3203Same product: Wireshark Wireshark

CVE-2025-1492Same product: Wireshark Wireshark

CVE-2026-7375Same product: Wireshark Wireshark

CVE-2026-5653Same product: Wireshark Wireshark

CVE-2026-5657Same product: Wireshark Wireshark

CVE-2026-5655Same product: Wireshark Wireshark

CVE-2026-6519Same product: Wireshark Wireshark

CVE-2026-6520Same product: Wireshark Wireshark

CVE-2026-3201Same product: Wireshark Wireshark

References

https://gitlab.com/wireshark/wireshark/-/issues/21111
Exploit, Issue Tracking, Third Party Advisory · cve@gitlab.com
https://www.wireshark.org/security/wnpa-sec-2026-18.html
Vendor Advisory · cve@gitlab.com
https://gitlab.com/wireshark/wireshark/-/work_items/21111
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0